XML Protection

Copy Link

Copy Doc ID a9687b55-f2f2-11ee-8c42-fa163e15d75b:121935

Download PDF

XML Protection

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML code to attack web servers. XML Protection examines client requests for anomalies in XML code, and also attempts to validate the structure of XML code in client requests using trusted XML schema files.

If your API interfaces are implemented using XML, you can configure XML protection rules to ensure that the content of XML API requests does not contain any potential attacks.

To create an XML protection rule

Go to API PROTECTION > XML Protection.
You must have already enabled this module in Add Modules. See How to add or remove a module.
Click +Create XML Protection Rule.

Configure these settings.

Name	Enter a name for the XML protection rule.
Request URL	Type the URL used to match requests, such as `/upload.php`, or use wildcards to match multiple URLs, such as `/folder1/` or `/folder1//index.htm`. The URL must begin with a slash ( / ). Notes: For those requests whose URLs don't match with the Request URL, FortiWeb Cloud will not apply XML Validation rule on them.
XML Limits	Enable to define limits for attributes, CDATA, and elements.
Schema Validation	Enable to import XML schema files to check XML contents in HTTP requests. XML schema files specify the acceptable structure of and elements in an XML document. Make sure the schema file doesn't contain any structural error, otherwise the XML Protection Rule will not take effect.
Schema File	Upload an acceptable XML schema file. Available only when Schema Validation is enabled.
Forbid XML Entities	Enable to configure limits for the XML entities.

Click OK.

Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

Alert	Accept the request and generate an alert email and/or log message.
Alert & Deny	Block the request (or reset the connection) and generate an alert email and/or log message.
Deny(no log)	Block the request (or reset the connection).

Click SAVE.

XML Protection

If your API interfaces are implemented using XML, you can configure XML protection rules to ensure that the content of XML API requests does not contain any potential attacks.

To create an XML protection rule

Go to API PROTECTION > XML Protection.
You must have already enabled this module in Add Modules. See How to add or remove a module.
Click +Create XML Protection Rule.

Configure these settings.

Name	Enter a name for the XML protection rule.
Request URL	Type the URL used to match requests, such as `/upload.php`, or use wildcards to match multiple URLs, such as `/folder1/` or `/folder1//index.htm`. The URL must begin with a slash ( / ). Notes: For those requests whose URLs don't match with the Request URL, FortiWeb Cloud will not apply XML Validation rule on them.
XML Limits	Enable to define limits for attributes, CDATA, and elements.
Schema Validation	Enable to import XML schema files to check XML contents in HTTP requests. XML schema files specify the acceptable structure of and elements in an XML document. Make sure the schema file doesn't contain any structural error, otherwise the XML Protection Rule will not take effect.
Schema File	Upload an acceptable XML schema file. Available only when Schema Validation is enabled.
Forbid XML Entities	Enable to configure limits for the XML entities.

Click OK.

Alert	Accept the request and generate an alert email and/or log message.
Alert & Deny	Block the request (or reset the connection) and generate an alert email and/or log message.
Deny(no log)	Block the request (or reset the connection).

Click SAVE.