When protecting an endpoint from XML-based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA or API gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema Definition (XSD), schematron, XPath are all helpful tools in describing the type of data and structure of XML documents that are expected at runtime.
Consider the JSON Schema validation assertion which can be incorporated in CA API Gateway policies. In the service policy illustrated below, PUT requests are inspected for proper JSON structure using this assertion.
This assertion’s properties allow the administrator to provide a JSON Schema for runtime validation. See below a simple JSON Schema loaded in the assertion’s properties.
For testing this policy, we can PUT requests to this service using the Firefox REST Client plugin. This lets us verify that only JSON stuctures that comply with the JSON Schema are accepted.
The ability to validate incoming JSON payloads at the perimeter, in an isolated and secured environment is another example of the CA API Gateway's value in securing RESTful environments.