Protect Against Document Structure Threats Assertion

The Protect Against Document Structure Threats assertion allows you to specify size limits for incoming XML requests to protect against XDoS (XML Denial of Service) attacks using oversized files. When the text or attributes of an incoming request exceed the specified limits, the  rejects the message and blocks further processing of the policy.
gateway94
The Protect Against Document Structure Threats assertion allows you to specify size limits for incoming XML requests to protect against XDoS (XML Denial of Service) attacks using oversized files. When the text or attributes of an incoming request exceed the specified limits, the
Layer7 API Gateway
 rejects the message and blocks further processing of the policy.
To learn about selecting the target message for this assertion, see Select a Target Message.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the 
    Document Structure Threat Protection Properties
     automatically appear; when modifying the assertion, right-click 
    <target>:
     Protect against Document Structure Threats
     in the policy window and select 
    Document Structure Threat Protection Properties
     or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. Configure the properties as follows:
    Setting
    Description
    Reject if any XML contiguous text has length exceeding
    Select this check box to reject any incoming request with a text node (or CDATA section) containing more than the specified number of contiguous characters. Clear this check box to accept any contiguous length.
    "Contiguous" in this context refers to the characters between XML tags. For example:
    <tag>this is a string of contiguous characters</tag>
    . This check does not differentiate between start and end tags, so the following text is also considered contiguous characters:
    </endTag>blank spaces and return characters between tags are also contiguous text<startTag>
    .
    The length of
    attribute names
    are excluded from this setting. To manage requests based on the attribute name, use the
    "Reject if any XML attribute name has length exceeding"
    setting.
    Reject if any XML attribute value has length exceeding
    Select this check box to reject any incoming request with an attribute value longer than the specified number of characters. Clear this check box to accept attribute values of any length.
    The length of an attribute value is the number of characters between the quotes of any attribute, not including the attribute name itself. For example, the length of this attribute value is 12:
    <img src="computer.gif">.
    Reject if any XML attribute name has length exceeding
    Select this check box to reject any incoming request with an attribute name longer than the specified number of characters. Clear this check box to accept attribute names of any length.
    XML attribute name lengths are independent of the
    "Reject if any XML contiguous text has length exceeding"
    setting.
    Reject if XML element nesting depth exceeds
    Select this check box to reject any incoming request that contains more than the specified number of nested levels. Clear this check box to accept requests with any number of nested levels.
    The nesting count begins at the top of the XML document. If it is a SOAP message, the envelope is level 1, the body is level 2, etc.
    Reject if distinct namespace declarations exceeds
    Select this check box reject any incoming requests that contains more than the specified number of distinct namespace URI declarations. Clear this check box to accept requests with any number of namespace declarations.
    A value of '
    0
    ' (zero) means unlimited, which is the same as clearing the check box.
    Reject if distinct namespace prefix declarations exceeds
    Select this check box reject any incoming requests that contains more than the specified number of distinct namespace prefix declarations. Clear this check box to accept requests with any number of namespace prefix declarations.
    A value of '
    0
    ' (zero) means unlimited, which is the same as clearing the check box.
    Reject SOAP request that contain more than
    Select this check box to reject any SOAP requests with more than the specified number of payload elements. Clear this check box to ignore the number of payload elements in a request.
    A SOAP envelope requires one body section but may contain multiple payload elements (header is optional):
    Envelope Header (optional) Body Payload Payload Payload
    Multiple payloads are uncommon and an attack may be launched using multiple payload elements to evade simplistic validity checks. For example, the XPath might match against payload #2, but the application ignores payload #2 and uses payload #1 instead.
    Require a valid SOAP envelope (one Body, no trailers)
    Select this check box to reject any requests that do not contain a valid SOAP envelope. Clear this check box to not check the validity of a SOAP envelope.
    A valid envelope contains exactly one Body section, optionally preceded by exactly one Header section, with no SOAP trailers.
    This setting guards against invalid SOAP envelopes that contain multiple body sections or trailers, which may be caused either by an attack or an error in the client application.
  4. Click [
    OK
    ] when done.