The XML Message Validation check examines requests that contain XML
messages to ensure that they are valid. If a request contains an invalid XML
message, the application firewall blocks the request. The purpose of the XML
Validation check is to prevent an attacker from using specially constructed
invalid XML messages to breach the security of your application.
If you use the wizard or the configuration utility, in the
Modify XML Message Validation Check dialog box, on
General tab you can enable or disable the
If you use the command-line interface, you can enter the following
command to configure the XML Message Validation Check:
You must use the configuration utility to configure the other XML
Validation check settings. In the
Modify XML Message Validation Check
dialog box, on
tab, you can configure the following
- XML Message
Validation. Use one of the following options to validate the XML message:
- SOAP Envelope.
Validate only the SOAP envelope of XML messages.
- WSDL. Validate
XML messages by using an XML SOAP WSDL. If you choose WSDL validation, in the
WSDL Object drop-down list you must choose a
WSDL. If you want to validate against a WSDL that has not already been imported
to the application firewall, you can click the
Import button to open the
Manage WSDL Imports dialog box and import
your WSDL. See
- If you want to
validate the entire URL, leave the
Absolute radio button in the
End Point Check button array selected.
If you want to validate only the portion of the URL after the host, select the
Relative radio button.
- If you want the
application firewall to enforce the WSDL strictly, and not allow any additional
XML headers not defined in the WSDL, you must clear the
Allow additional headers not defined in the
WSDL check box.
Caution: If you uncheck the
Allow Additional Headers not defined in the
WSDL check box, and your WSDL does not define all XML headers that
your protected XML application or Web 2.0 application expects or that a client
sends, you may block legitimate access to your protected service.
- XML Schema.
Validate XML messages by using an XML schema. If you choose XML schema
validation, in the
XML Schema Object drop-down list you must
choose an XML schema. If you want to validate against an XML schema that has
not already been imported to the application firewall, you can click the
Import button to open the
Manage XML Schema Imports dialog box and
import your WSDL. See
"WSDL" for more information.
- Response Validation.
By default, the application firewall does not attempt to validate responses. If
you want to validate responses from your protected application or Web 2.0 site,
Validate Response check box. When you do, the
Reuse the XML Schema specified in request
validation check box and the
XML Schema Object drop-down list are activated.