JavaScript object notation (JSON) is vulnerable to content-level attacks. Such attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks.

The JSONThreatProtection policy minimizes the risk posed by such attacks by enabling specific limits on various JSON structures such as arrays and strings. All settings are optional and should be tuned to optimize service requirements against potential vulnerabilities.


If a limit is not specified, the system applies a default value '-1' (the system equates a negative value to no limit).


The properties that have to be configured to use the policy are described below.

Figure 1: JSON Threat Protection Policy Configuration attributes

Container Depth

Maximum allowed nested depth.

Object Entry Count

Maximum number of entries allowed in an object.

Object Entry Name Length

Maximum string length allowed in an object's entry name.

Array Element CountMaximum number of elements allowed in an array.
String Value LengthMaximum length allowed for a string value.


Configure JSON Threat policy with the values below and add it to Target Response:

Figure 2: JSON Threat Protection policy properties with values provided in the Example

Without JSON Threat Protection policy, below is the error output that is displayed :

{"Envelope": {

    "@xmlns:soap": "",

    "@xmlns:xsi": "",

    "@xmlns:xsd": "",

    "Body": {"ConversionRateResponse":     {

        "@xmlns": "http://www.webserviceX.NET/",

        "ConversionRateResult": "0.0157"



After JSON Threat Policy is set, below is the error output that is displayed as the Container Depth is beyond the set limit ‘2’:


  "ErrorMessage" : "Container depth limit exceeded",

  "ErrorCode" : "Threat Detected",

  "MoreInfo" : "Policy Name - jsonThreat, Type - JSON_THREAT"


Adaptavist ThemeBuilder EngineAtlassian Confluence