This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

JSON Threat Protection for API Gateway

Owned by Former user (Deleted)
Jun 06, 2018
2 min read

The JSON threat protector in WSO2 API Manager validates the request body of the JSON message based on pre-configured to thwart payload attacks.

Detecting vulnerabilities before parsing the message

The json_validator sequence specifies the properties to be limited in the payload. A sample json_validator sequence is given below.

<sequence xmlns="http://ws.apache.org/ns/synapse" name="json_validator">
    <log level="custom">
        <property name="IN_MESSAGE" value="json_validator"/>
    </log>
    <property name="maxPropertyCount"  value = "100"/>
    <property name="maxStringLength"  value = "100"/>
    <property name="maxArrayElementCount"  value = "100"/>
    <property name="maxKeyLength"  value = "100"/>
    <property name="maxJsonDepth"  value = "100"/>
    <property name="RequestMessageBufferSize" value="1024"/>
    <class name="org.wso2.carbon.apimgt.gateway.mediators.JsonSchemaValidator"/>
</sequence>
PropertyDefault ValueDescription
maxPropertyCount
100Maximum number of properties
maxStringLength
100Maximum length of string
maxArrayElementCount
100Maximum number of elements in an array
maxKeyLength
100Maximum number length of key
maxJsonDepth
100Maximum length of JSON


Editing the sequence through registry artifacts

To edit the existing sequence follow the steps below.

  1. Log in to the Management Console.
  2. Navigate to /_system/governance/apimgt/customsequences/in/json_validator.xml
  3. Edit the json_validator.xml file.
  4. Go to the API Publisher and re-publish your API for the changes to take effect.

Applying the JSON validator policy

You can apply the pre-defined JSON Policy through the UI. Follow the instructions below to apply the json_validator in sequence.

  • Create an API or edit an existing API.

  • Go to Message Mediation Policies under the Implement tab.

  • Select Enable Message Mediation. Select json_validator from the drop-down menu for In Flow.

  • Click Save and Publish to save the changes.


Testing the JSON threat protector

You can edit the sequence to set the property values accoring to your requirements. A sample request and response for each property value set to 5 is given below.

Performance impact

The JSON schema mediator builds the message at the mediation level. This impacts the performance of 10KB messages for 300 concurrent users by 5.2 times than the normal flow.