Nainaz's Blog

JSON Threat Protection Policy

Nainaz's photo
Nainaz
·

3 min read

JSON Threat Protection Policy

This policy protects from JSON malicious API requests.
This policy detects malicious JSON based on the configured limits on JSON structure.
When the message is received from the client or other system, Content-Type should be application/JSON, if it is not, the policy won’t allow that API request to pass through.
Scenario:
- To destabilize the system, hackers may send Large and complex JSON messages to the service.
- As it uses more memory and CPU, JSON parsers unable to handle this kind of message.
- This results in a service crash.
These attacks can be mitigated if the service uses a JSON Threat protection policy.

XML Configuration file - JSON Threat Protection Policy

<JSONThreatProtection continueOnError="false" enabled="true" name="JSON-Threat-Protection-1">
<DisplayName>JSON Threat Protection-1</DisplayName>
<Properties/>
<!-- inside array there should be <=2 element-->
<ArrayElementCount>2</ArrayElementCount>
<!-- ContainerDepth: after creating a tree structure , Node depth(lengthg of tree)
is known as ContainerDepth-->
<ContainerDepth>3</ContainerDepth>
<!-- ObjectEntryCount: number of ojects in JSON message-->
<ObjectEntryCount>5</ObjectEntryCount>
<ObjectEntryNameLength>11</ObjectEntryNameLength>
<!-- Source: from where we are getting the JSON msg. ie,. from request-->
<Source>request</Source>
<!-- length/size of value of the objects/elements-->
<StringValueLength>15</StringValueLength>
</JSONThreatProtection>

Sample JSON message.

{
    "BillNumber": "8888",
    "BillDate": "2022-02-23",
    "Customer": {
        "Name": "Prashant",
        "Mail": "nkptech@gmail.com",
        "Address": {
            "Street_Addr1": "Bay area",
            "Country": "USA"
        }
    },
    "paymentDetails": {
        "paymentType": "CARD"
    },
    "paymentDetails2": {
        "paymentType": "CARD"
    },
    "CartItems": [{
            "ProductName": "OVEN"
        }, {
            "ProductName": "Book"
        }
    ]
}

/*ArrayElementCount:  
[{
            "ProductName": "OVEN"
        }, {
            "ProductName": "Book"
        }
    ]*/

/* ContainerDepth: for above example:*/

/*ObjectEntryCount: { (1), Customer(2), Address(3), paymentDetails(4), 
                   paymentDetails2(5), CartItems(6) */

/*ObjectEntryNameLength: size of above object/elements*/

Let’s implement this in APigee.

Create no target API proxy.

passthrough - eval - create and deploy - edit poxy - develop.
when the request we need to check whether the JSON message is tampered or not. So
proxy endpoint- preflow- request - add JSON threat protection policy.

JSON threat protection policy code should be like below.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JSONThreatProtection continueOnError="false" enabled="true" name="JSON-Threat-Protection-1">
    <DisplayName>JSON Threat Protection-1</DisplayName>
    <Properties/>
    <ArrayElementCount>2</ArrayElementCount>
    <ContainerDepth>4</ContainerDepth>
    <ObjectEntryCount>5</ObjectEntryCount>
    <ObjectEntryNameLength>11</ObjectEntryNameLength>
    <Source>request</Source>
    <StringValueLength>15</StringValueLength>
</JSONThreatProtection>

Save and deploy.
see the output: send the POST request with JSON content. Make sure that content_type: application/JSON is in the header of the request.
JSON message.

{
    "BillNumber": "8888",
    "BillDate": "2022-02-23",
    "Customer": {
        "Name": "Prashant",
        //"Mail": "nkptech@gmail.com", bcz of this getting error. So modify to
        "Mail": "nk@gmail.com"
        "Address": {
        //Exceeds object entry name length
        // "Street_Addr1" modify to
            "Strdr1": "Bay area",
            "Country": "USA"
        }
    },
    //Exceeded object entry name length
    //"paymentDetails" modify to
    "pDetails": {
        "paymentType": "CARD"
    },
    //Exceeded object entry name length
    //"paymentDetails2" modify to
    "pDetails2": {
        "paymentType": "CARD"
    }
    //Exceeded object entry count . so delete this
    /*"CartItems": [{
            "ProductName": "OVEN"
        }, {
            "ProductName": "Book"
        }
    ]*/
}

We got an error.
Execution failed. reason: "Exceeded string value length at line 6"

Execution failed. reason: Exceeds object entry name length at line 8

After modifying the code related to the threat protection code. sample JSON content looks like below.

{
    "BillNumber": "8888",
    "BillDate": "2022-02-23",
    "Customer": {
        "Name": "Prashant",
        "Mail": "nk@gmail.com",
        "Address": {
            "Strdr1": "Bay area",
            "Country": "USA"
        }
    },
    "pDetails": {
        "paymentType": "CARD"
    },
    "pDetails2": {
        "paymentType": "CARD"
    }

}

APIsapigeeAPI management - google cloudJSON Threat Protection policy