JSON Schema Validation

Document created by macsa06 on Jul 21, 2014Last modified by macsa06 on Nov 28, 2014
Version 2Show Document
  • View in full screen mode

When protecting an endpoint from XML-based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA or API gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema Definition (XSD), schematron, XPath are all helpful tools in describing the type of data and structure of XML documents that are expected at runtime.


JavaScript Object Notation (JSON) is increasingly being considered as an alternative to XML and already established as the preferred content-type for many RESTful Web services and APIs. JSON-enabled services that receive content from external sources are subjected to similar message level threats as XML based web services. The need for validation of JSON payload structures is an essential component of perimeter threat protection for JSON capable environments. An existing schema language specification for JSON named JSON Schema uses concepts similar as XSD to provide JSON structure definition. Also worth noting is an alternative named Orderly which proposes a different specification using leaner syntax.


Consider the JSON Schema validation assertion which can be incorporated in CA API Gateway policies. In the service policy illustrated below, PUT requests are inspected for proper JSON structure using this assertion.

SecureSpan JSON Schema validation - Layer 7 Technologies

This assertion’s properties allow the administrator to provide a JSON Schema for runtime validation. See below a simple JSON Schema loaded in the assertion’s properties.

SecureSpan JSON Schema validation properties - Layer 7 Technologies

For testing this policy, we can PUT requests to this service using the Firefox REST Client plugin. This lets us verify that only JSON stuctures that comply with the JSON Schema are accepted.

Sending a JSON payload that conforms to the JSON Schema - Layer 7 Technologies
Test 1 – Sending a JSON payload that conforms to the JSON Schema.


Sending a JSON payload that violates the JSON Schema prescribed structure - Layer 7 Technologies
Test 2 – Sending a JSON payload that violates the JSON Schema prescribed structure.


The ability to validate incoming JSON payloads at the perimeter, in an isolated and secured environment is another example of the CA API Gateway's value in securing RESTful environments.