In The importance of threat protection for restful web services, I presented a number of content-based threats for XML. When protecting an endpoint from XML based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema Definition (XSD), schematron, XPath are all helpful tools in describing the type of data and structure of XML documents that are expected at runtime.
A number of recent posts illustrated the use of the SecureSpan SOA Gateway for the protection of RESTful Web services. In How to secure REST and JSON, Scott illustrated how to virtualize a REST API service, how to authenticate and authorize requesters, provide confidentiality, validate incoming query parameters, block code injections, and more. In addition to this, consider the SecureSpan JSON Schema validation assertion which can be incorporated in SecureSpan policies. In the service policy illustrated below, PUT requests are inspected for proper JSON structure using this assertion.
This assertion’s properties allow the administrator to provide a JSON Schema for runtime validation. See below a simple JSON Schema loaded in the assertion’s properties.
For testing this policy, we can PUT requests to this service using the Firefox REST Client plugin. This lets us verify that only JSON stuctures that comply with the JSON Schema are accepted.
Test 1 – Sending a JSON payload that conforms to the JSON Schema.
Test 2 – Sending a JSON payload that violates the JSON Schema prescribed structure.
The ability to validate incoming JSON payloads at the perimeter, in an isolated and secured environment is another example of SecureSpan’s value in securing RESTful environments.