Fortinet black logo

Handbook

Configuring XML Detection

Configuring XML Detection

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML code to attack web servers. You can use FortiADC's web application firewall (WAF) to examine client requests for anomalies in XML code. The WAF can also attempt to validate the structure of XML code in client requests using a trusted XML schema file. Configuring XML detection can help to ensure that the content of requests containing XML does not contain any potential attacks.

XML Check Chain illustrates how HTTP packets containing XML can be examined when XML detection is configured.

XML Check Chain

XML checks are composed of six parts, and each one carries out a single detection function:

  • Format Check—Executes XML format detection.
  • XML Schema Validation—Checks to determine whether XML content is well-formed. Must upload an XML schema file.
  • Limit Check—Executes XML limit detection sub-module.
  • SQL Injection Detection—Executes XML SQL injection detection.
  • XSS Feature Library—Executes XML cross-site scripting detection sub-module (XML-SIDM).

Before you begin, you must:

To configure XML Detection:
  1. Go to Web Application Firewall > XML & JSON Validation and select the XML Detection tab.
  2. Click Create New.
  3. Complete the configuration as described in XML Detection.
  4. Click Save.

XML Detection

Settings Guidelines
Name Enter the name of the XML Detection profile. You will use the name to select the XML Detection profile in WAF profiles. No spaces.
XML Format Check Enable to configure security checks for incoming HTTP requests to determine whether they are well-formed. You can set FortiADC response actions to malformed HTTP requests below.
Soap Format Check

Enable or disable Soap Format Check.

Note: When enabled, FortiADC will examine the format of incoming SOAP requests and block those that are ill-formed.

This option is disabled by default. If enabled, you can choose to enable or disable WSDL Checks below.

FortiADC's Soap format check supports Soap versions 1.1 and 1.2.

WSDL Check

Enable or disable WSDL Check.

Note: When enabled, FortiADC will examine the SOAP content in a request against the special characters and OS commands.

This option becomes available only when Soap Format Check is enabled above. It is disabled by default. If enabled, you must select a WSDL file below.

WSDL

Select a WSDL file from the list menu, which shows all WSDL files that are shown (uploaded) on the WSDL page.

Note: This option allows FortiADC to check the SOAP content in a request against the selected WSDL file, and block the content if it fails the check.

XML Schema Check Before enabling XML Schema Checks, you must upload an XML schema file to check whether XML content is well-formed. Enable to use XML schema to validate XML content. See Importing XML schema
XML Schema Select the XML schema file that you want to use to check whether XML content is valid.
XML Limit Check

Enable to enforce parsing limits to protect web servers from DOS attacks, including XML bombs and transform injections. If enabled, you may change the configuration for the following parameters:

  • Limit Max Attr
  • Limit Max Attr Name Len
  • Limit Max Attr Value Len
  • Limit Max Cdata Len
  • Limit Max Elem Child
  • Limit Max Elem Depth
  • Limit Max Elem Name Len
  • Limit Max Namespace
  • Limit Max Namespace Url Len
Max Attribute Limits the maximum number of attributes each individual element is allowed to have. The default value is 256. The valid range is 1–256. Available only when XML Limit Checks is enabled.
Max Attribute Name Length Limits the maximum length of each attribute name. The default value is 128. The valid range is 1–2048. Available only when XML Limit Checks is enabled.
Max Attribute Value Length Limits the maximum length of each attribute value. The default value is 128. The valid range is 1–2048. Available only when XML Limit Checks is enabled.
Max Cdata Length Limits the length of the CDATA section for each element. The default value is 65535. The valid range is 1–65535. Available only when XML Limit Checks is enabled.
Max Element Child Limits the maximum number of children each element is allowed, and includes other elements and character information. The default value is 65535. The valid range is 1–65535. Available only when XML Limit Checks is enabled.
Max Element Depth Limits the maximum number of nested levels in each element. The default value is 256. The valid range is 1–65535. Available only when XML Limit Checks is enabled.
Max Element Name Length Limits the maximum length of the name of each element. The default value is 128. The valid range is 1–65535. Available only when XML Limit Checks is enabled.
Max Namespace Limits the number of namespace declarations in the XML document. The default value is 16. The valid range is 0–256. Available only when XML Limit Checks is enabled.
Max Namespace URL Length Limits the URL length for each namespace declaration. The default value is 256. The valid range is 0–1024. Available only when XML Limit Checks is enabled.
XML XSS Check Enable to examine the bodies of incoming XML requests that might indicate possible cross-site scripting attacks. If the request contains a positive match, FortiADC responds with the corresponding action selected below.
XML SQL Injection Check Enable to examine bodies of incoming requests for inappropriate SQL characters and keywords that might indicate an SQL injection attack. If the request contains a positive match, FortiADC responds with the corresponding action selected below.
Severity

Set the severity level in WAF logs of potential attacks detected by the XML Detection profile. Select one of the following options:

  • High
  • Middle
  • Low
Action

Sets the action FortiADC will take if a security check detects a potential attack. Select one of the following actions:

  • Alert—Sends an alert when the profile detects a potential attack.
  • Deny—Blocks the incoming request.
Exception Name Optional. Select the exception profile that you want to apply to the XML Detection profile. See Configuring WAF Exception objects.

Configuring XML Detection

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML code to attack web servers. You can use FortiADC's web application firewall (WAF) to examine client requests for anomalies in XML code. The WAF can also attempt to validate the structure of XML code in client requests using a trusted XML schema file. Configuring XML detection can help to ensure that the content of requests containing XML does not contain any potential attacks.

XML Check Chain illustrates how HTTP packets containing XML can be examined when XML detection is configured.

XML Check Chain

XML checks are composed of six parts, and each one carries out a single detection function:

  • Format Check—Executes XML format detection.
  • XML Schema Validation—Checks to determine whether XML content is well-formed. Must upload an XML schema file.
  • Limit Check—Executes XML limit detection sub-module.
  • SQL Injection Detection—Executes XML SQL injection detection.
  • XSS Feature Library—Executes XML cross-site scripting detection sub-module (XML-SIDM).

Before you begin, you must:

To configure XML Detection:
  1. Go to Web Application Firewall > XML & JSON Validation and select the XML Detection tab.
  2. Click Create New.
  3. Complete the configuration as described in XML Detection.
  4. Click Save.

XML Detection

Settings Guidelines
Name Enter the name of the XML Detection profile. You will use the name to select the XML Detection profile in WAF profiles. No spaces.
XML Format Check Enable to configure security checks for incoming HTTP requests to determine whether they are well-formed. You can set FortiADC response actions to malformed HTTP requests below.
Soap Format Check

Enable or disable Soap Format Check.

Note: When enabled, FortiADC will examine the format of incoming SOAP requests and block those that are ill-formed.

This option is disabled by default. If enabled, you can choose to enable or disable WSDL Checks below.

FortiADC's Soap format check supports Soap versions 1.1 and 1.2.

WSDL Check

Enable or disable WSDL Check.

Note: When enabled, FortiADC will examine the SOAP content in a request against the special characters and OS commands.

This option becomes available only when Soap Format Check is enabled above. It is disabled by default. If enabled, you must select a WSDL file below.

WSDL

Select a WSDL file from the list menu, which shows all WSDL files that are shown (uploaded) on the WSDL page.

Note: This option allows FortiADC to check the SOAP content in a request against the selected WSDL file, and block the content if it fails the check.

XML Schema Check Before enabling XML Schema Checks, you must upload an XML schema file to check whether XML content is well-formed. Enable to use XML schema to validate XML content. See Importing XML schema
XML Schema Select the XML schema file that you want to use to check whether XML content is valid.
XML Limit Check

Enable to enforce parsing limits to protect web servers from DOS attacks, including XML bombs and transform injections. If enabled, you may change the configuration for the following parameters:

  • Limit Max Attr
  • Limit Max Attr Name Len
  • Limit Max Attr Value Len
  • Limit Max Cdata Len
  • Limit Max Elem Child
  • Limit Max Elem Depth
  • Limit Max Elem Name Len
  • Limit Max Namespace
  • Limit Max Namespace Url Len
Max Attribute Limits the maximum number of attributes each individual element is allowed to have. The default value is 256. The valid range is 1–256. Available only when XML Limit Checks is enabled.
Max Attribute Name Length Limits the maximum length of each attribute name. The default value is 128. The valid range is 1–2048. Available only when XML Limit Checks is enabled.
Max Attribute Value Length Limits the maximum length of each attribute value. The default value is 128. The valid range is 1–2048. Available only when XML Limit Checks is enabled.
Max Cdata Length Limits the length of the CDATA section for each element. The default value is 65535. The valid range is 1–65535. Available only when XML Limit Checks is enabled.
Max Element Child Limits the maximum number of children each element is allowed, and includes other elements and character information. The default value is 65535. The valid range is 1–65535. Available only when XML Limit Checks is enabled.
Max Element Depth Limits the maximum number of nested levels in each element. The default value is 256. The valid range is 1–65535. Available only when XML Limit Checks is enabled.
Max Element Name Length Limits the maximum length of the name of each element. The default value is 128. The valid range is 1–65535. Available only when XML Limit Checks is enabled.
Max Namespace Limits the number of namespace declarations in the XML document. The default value is 16. The valid range is 0–256. Available only when XML Limit Checks is enabled.
Max Namespace URL Length Limits the URL length for each namespace declaration. The default value is 256. The valid range is 0–1024. Available only when XML Limit Checks is enabled.
XML XSS Check Enable to examine the bodies of incoming XML requests that might indicate possible cross-site scripting attacks. If the request contains a positive match, FortiADC responds with the corresponding action selected below.
XML SQL Injection Check Enable to examine bodies of incoming requests for inappropriate SQL characters and keywords that might indicate an SQL injection attack. If the request contains a positive match, FortiADC responds with the corresponding action selected below.
Severity

Set the severity level in WAF logs of potential attacks detected by the XML Detection profile. Select one of the following options:

  • High
  • Middle
  • Low
Action

Sets the action FortiADC will take if a security check detects a potential attack. Select one of the following actions:

  • Alert—Sends an alert when the profile detects a potential attack.
  • Deny—Blocks the incoming request.
Exception Name Optional. Select the exception profile that you want to apply to the XML Detection profile. See Configuring WAF Exception objects.