As an API management platform, Apigee provides policies that can be used to detect and reject XML and JSON threats. The aim of the threat-protect API proxy is to help you configure XML and JSON threat protection policies. The threat-protect API proxy can dynamically generate XML and JSON threats that are both used as a source to respectively test XML and JSON threat protection policies.
- Maven
- NodeJS LTS version or above
- Apigee Evaluation Organization
export APIGEE_X_ORG=xxx
export APIGEE_X_ENV=xxx
export APIGEE_X_HOSTNAME=api.example.com
./pipeline.sh --googleapi
export APIGEE_ORG=xxx
export APIGEE_ENV=xxx
export APIGEE_USER=xxx
export APIGEE_PASS=xxx
./pipeline.sh --apigeeapi
The pipeline script deploys on Apigee (Edge, hybrid or X) an API Proxy containing the full configuration of the threat protection reference.
The threat protection reference allows you to test structural limits of XML and JSON contents. More specifically, structural dimensions are defined by:
- width
- height
- depth
- length
As said before, XML and JSON threats are created by the API proxy. Following paragraphs present dimensions for the 2 types of contents, for which we want to test limits using either an XML or JSON threat protection policy.
Here is a picture describing the structural dimensions of an XML document:
- width refers to the number of attributes on elements/tags
- depth refers to the node depth of an XML document
- height refers to the number of child elements of the root element
- length refers to the number of namespaces of the root element
Here is a picture describing the structural dimensions of a JSON content:
- width refers to the number of entries in an object
- depth refers the containment depth, where the containers are objects in this case
- height refers as well the number of entries on the
JSONThreatobject (root) - length refers to the number of items in the
itemsarray
Available endpoints are the following ones:
GET /xml: to generate an XML threat and test the XMLThreatProtection policyGET /json: to generate a JSON threat and test the JSONThreatProtection policy
Once the threat-protect API Proxy has been installed on a target organization and deployed into an environment, here are values for these different endpoints and method available for each of them:
| Endpoint | Available method + URI |
|---|---|
| XML threat test | GET /threats/v1/xml |
| JSON threat test | GET /threats/v1/json |
Here is a detailed description of each endpoints and in particular the list of required parameters for each of them:
| HTTP Method | Base Path | Endpoint URI |
|---|---|---|
| GET | /threats/v1 | /xml |
| HTTP Method | Base Path | Endpoint URI |
|---|---|---|
| GET | /threats/v1 | /json |
| Name | Type (query/header/form) | Value | Required (yes/no) |
|---|---|---|---|
| width | query | integer | no |
| height | query | integer | no |
| length | query | integer | no |
| depth | query | integer (min. depth = 3)* | no |
(*): due to the structure of XML and JSON contents generated.
Method:
GET
URI:
/threats/v1/json?width=10&length=20&depth=30&height=17
Output:
Either a fault (status code:400 - message:"Bad Request") or the JSON content (status code:200) that is generated by the proxy. You can modify the configuration of the JSON threat protection policy to configure this security policy as desired.
Method:
GET
URI:
/threats/v1/xml?width=10&length=20&depth=30&height=17
Output:
Either a fault (status code:400 - message:"Bad Request") or the XML content (status code:200) that is generated by the proxy. You can modify the configuration of the XML threat protection policy to configure this security policy as desired.