Apigee XML Threat Protection against XML bombs

chrisyanez · December 28, 2022, 5:40pm

I am developing an API proxy that takes a XML request payload and sends it through to a backend.
I am working on implementing a XML Threat Protection policy for this proxy but during testing I noticed that it does not protect against XML bomb attacks such as this example listed on https://www.soapui.org/docs/security-testing/security-scans/xml-bomb/

I know one possible solution would be to implement java code in the form of a java callout to handle the protection. Is it possible to handle this using only Apigee policies?

gonzalezruben · January 6, 2023, 4:31pm

Hi!

You should be able to use theXMLThreatProtection policy to protect your backend from XML bombs. In your example, as the entity values get longer the policy will block values longer than 8 kB. If you want to limit the resolved entities values further, then configure more restrictive for .

Topic		Replies	Views
How can I prevent XML Entity expansion attacks using Apigee Apigee api-runtime	2	7	February 12, 2019
limit file size with xml and json threat protection policy metrics Apigee api-runtime	1	7	April 23, 2015
Are there pre-built, production-quality configurations for the XML, JSON, and Regex threat protection policies? Apigee api-runtime	2	18	September 11, 2015

Apigee XML Threat Protection against XML bombs

AI Suggested topics