Protection against XML Attacks and DoS
Protect your server against XML-related attacks.
Denial of Service attacks are possible whenever a small request leads to huge resource consumption on the side, either in memory or in CPU time. While in a susceptible application context this cannot completely be prevented without changing the service's implementation, some steps can be taken to thwart some forms of attack.
Only allow XML Requests
Any non-XML request is discarded (and a "400 Bad Request" response returned), to prevent parsers from accidentally attempting to process it.
Only allow well-formed XML Requests
Since any "almost well-formed" request might be used to exploit bugs in the XML parser, all non-XML or not well-formed requests are discarded.
Remove DTDs from incoming Requests
DTDs (Document Type Definitions) are a valid part in an XML document's prologue. By allowing the definition of entities using other entities, they potentially cause an XML parser to exhaust the available memory (exponential entity expansion).
By allowing the definition of external entities using URIs, an unprotected Web server can potentially leak any internal information it has access to.
Since DTDs have largely been superseeded by XML Schema, they can in most cases simply be removed from any incoming XML request.
Limit Element Name Length and the Number of Attributes per Element
As most XML-handling software dramatically increases its resource usage as element names grow longer or the number of attributes of an element increases, in practice usually both can simply be limited. Requests exceeding one of those limits will be discarded.
Before the XML protection feature of Membrane API Gateway investigates an incoming request for DTD removal or limit checks, the request has to be read completely into memory. This leads to an increased memory usage.
Add the xmlProtection interceptor to a proxy configuration, for example as follows:
<spring:beans xmlns="http://membrane-soa.org/proxies/1/" xmlns:spring="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://membrane-soa.org/proxies/1/ http://membrane-soa.org/schemas/proxies-1.xsd"> <router> <serviceProxy> <path>/axis2/services/BLZService</path> <xmlProtection /> <target host="thomas-bayer.com" port="80"/> </serviceProxy> </router> </spring:beans>
For more detailed documentation, see the xmlProtection reference.