This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
XML Threat Protection for API Gateway
The XML threat protector in WSO2 API Manager validates the XML payload vulnerabilities based on the pre-configured limits. It uses following methodologies to thwart the gateway from XML based attacks.
Detecting the malformed, vulnerable XML messages through limitations
The xml_validator sequence specifies the properties to be limited in the payload. A sample xml_validator sequence is given below.
<sequence xmlns="http://ws.apache.org/ns/synapse" name="xml_validator"> <log level="custom"> <property name="IN_MESSAGE" value="xml_validator"/> </log> <property name="xmlValidation" value="true"/> <property name="dtdEnabled" value="false"/> <property name="externalEntitiesEnabled" value="true"/> <property name="maxXMLDepth" value="100"/> <property name="maxElementCount" value="100"/> <property name="maxAttributeCount" value="100"/> <property name="maxAttributeLength" value="100"/> <property name="entityExpansionLimit" value="100"/> <property name="maxChildrenPerElement" value="100"/> <property name="schemaValidation" value="true"/> <switch source="get-property('To')"> <case regex=".*/addResource.*"> <property name="xsdURL" value="<Insert the XSD URL>"/> </case> <!--<case regex=".*/update.*">--> <!--<property name="xsdURL" value="<insert XSD_URL>"/>--> <!--</case>--> <!--<case regex=".*/delete.*">--> <!--<property name="xsdURL" value="<insert XSD_URL>d"/>--> <!--</case>--> </switch> <property name="RequestMessageBufferSize" value="1024"/> <class name="org.wso2.carbon.apimgt.gateway.mediators.XMLSchemaValidator"/> </sequence>
Users can enable or disable XML payload limits and schema validation. Some examples are shown below.
XML payload validation properties
Disable the DTD payload in the XML properties to avoid attacks
You can turn on/off external entities of the payload. An example is given below with the elements of the XML request body, that can be configured .
Property Default Value Description dtdEnabled
false
The DTD can be enabled/disabled according to your requirement.
externalEntitiesEnabled
true
maxXMLDepth
100
Maximum depth of the XML request message. maxElementCount
100
Maximum number of allowed elements in the XML request message. maxAttributeCount
100
Maximum count of allowed attributes in the XML request message. maxAttributeLength
100
Maximum allowed length of each attribute value in characters. entityExpansionLimit
100
Maximum allowed entity expansion limit of the XML request message. maxChildrenPerElement
100
Maximum number of child elements allowed in the XML request message.
XML schema validation
You can define XML schemas per resource to validate each request. For example, to add an XML schema to the resource /userapi/1.0.0/addResource/value follow the steps below.
- Define the resource in the case regex
- Define the relevant schema URL and add it as shown below.
- You can define the buffer size of the request message depending on your requirement. An example is given below.
Each request is sanitized through the XML threat protector. API developer can modify each properties according to your requirement.
Editing the sequence through registry artifacts
To edit the existing sequence follow the steps below.
- Log in to the Management Console.
- Navigate to
/_system/governance/apimgt/customsequences/in/xml_validator.xml
- Edit the
xml_validator.xml
file. - Go to the API Publisher and re-publish your API for the changes to take effect.
Applying the XML validator policy
You can apply the pre-defined XML Policy through the UI. Follow the instructions below to apply the xml_validator in sequence.
Create an API or edit an existing API.
Go to Message Mediation Policies under the Implement tab.
Select Enable Message Mediation. Select xml_validator from the drop-down menu for In Flow.
- Click Save and Publish to save the changes.
Testing the XML threat protector
You can edit the sequence to set the property values according to your requirements. A sample request and response for the value of the properties set to 30 is given below. Note that the .xsd URL for the relevant resource has been hosted.
Testing the schema validation
A sample request and response to test the schema validation is given below.
Performance impact
The XML mediator builds the message at the mediator level. This impacts the performance of 10KB messages for 300 concurrent users by 5.6 times than the normal flow. The performance may slow down along with the message size.