Using the WS-Malicious Pattern Detection Policy

Learn about the WS-Malicious Pattern Detection Policy and policy configuration options.

About Policies Managing Policies About Operational Policies

For information about using policies in the context of the developer portal, see Business Policies.

Table of Contents

  1. About the WS-Malicious Pattern Detection policy
  2. Creating a WS-Malicious Pattern Detection policy
  3. Configuring a WS-Malicious Pattern Detection policy
  4. Viewing a WS-Malicious Pattern Detection policy
  5. Attaching the policy
  6. Examples: out-of-the-box SOAP XPath Injection policy

About the WS-Malicious Pattern Detection policy

The WS-Malicious Pattern Detection policy is very similar to the HTTP Malicious Pattern Detection policy, but it is tailored for SOAP messages. In particular, the SOAP body and SOAP headers can be handled differently. You can use the WS-Malicious Pattern Detection policy for SOAP message (transmitted over HTTP), but the envelope has no special meaning and would be treated as any XML content.

back to top

Creating a WS-Malicious Pattern Detection policy

The first step in creating a policy is to define the basic policy information. Then, you can configure the policy details.

To add an operational policy
  1. Go to Workbench > Browse > Organization, and select Policies > Operational Policies. The Policies Summary is displayed.
  2. Click Add Policy.
  3. Choose the policy type and click Next.
  4. Specify a name (required) and description (optional) and click Finish. At the Completion Summary, Click Close. The Add Policy Wizard creates a draft policy instance that you can then configure on the Policy Details page.

For more information, see Add Policy.

back to top

Configuring a WS-Malicious Pattern Detection Policy

The Modify WS-Malicious Pattern Detection Policy screen allows you to modify the required content options for the WS-Malicious Pattern Detection policy.

To configure a WS-Malicious Pattern Detection policy
  1. Go to Workbench > Browse > Organization and select the Policies > Operational Policies folder. The Policies Summary is displayed.
  2. Find the policy on the list and double-click to go to the Details page for the policy.
  3. In the second panel, click Modify to access the Modify WS-Malicious Pattern Detection Policy page, as shown below.

  4. Specify values. For information about the fields, refer to WS-Malicious Pattern Detection policy options below.
  5. When done, click Apply.

Back to top

WS-Malicious Pattern Detection policy options

The Modify WS-Malicious Pattern Detection Policy wizard has only one page. It includes the options listed below.

Inspect Binding Headers
Optionally, SOAP headers can be scanned for patterns. By default, if you select this option, all headers will be scanned. To scan only certain headers, add the header names in the table.
Exclude Markup
If markup is excluded only the content of the properties, not the markup itself, will be scanned. For example, an XML tag will not be scanned, just the tag's value.
Patterns
One or more regular expression patterns to scan for. Any match will cause the message to be rejected. For more information about using regular expressions, see Using Regular Expressions in Policies.

back to top

Viewing WS-Malicious Pattern Detection Policy Details

To view the WS-Malicious Pattern Detection policy details:
  1. Go to Workbench > Browse > Organization, and select Policies > Operational Policies. The Policies Summary is displayed.
  2. Find the policy on the list and double-click to go to the Details page for the policy. An example is shown below.

Back to top

Attaching the policy

To use the policy, go to the Policies folder in the Root Organization and attach the policy to a web service, binding, or binding operation.

Back to top

Examples: out-of-the-box SOAP XPath Injection policy

The following examples illustrate an out-of-the-box SOAP XPath Injection policy which is an application of the WS-Malicious Pattern Detection policy.

Regular Expressions:

In the example below, the regular expression matches XPath symbols.

For more information about using regular expressions, see Using Regular Expressions in Policies.

SQL Expressions:

A SOAP SQL detection policy is also included out-of-the-box. Its expressions match SQL symbols and keywords, as shown below.

Back to top