xml vulnerabilities

First we need to distinguish the effect of attack from the feature that is exploited.

Particular features of XML that can be exploited are

• XML entities
• Proprietary extension of parser and validator
• Cyclic/recursive references
• Remote access

The effects can be either

• DOS
• Information disclosure

I don't think there is percise definition of a "bomb", but it refers to an attack that is particularly "compact" and which "expands". A "coercive parsing attack" exploits the nature of the XML model to overwhelm the parser.

The examples below are taken from XML Denial of Service Attacks and Defenses.Also, if you understand french, read the excellent magazine "La security des web services".

Example 1

A bomb using entities which result in a DOS because it exhausts the memory

<?xml version="1.0"?><!DOCTYPE kaboom [  <!ENTITY a "aaaaaaaaaaaaaaaaaa...">]><kaboom>&a;&a;&a;&a;&a;&a;&a;&a;&a;...</kaboom>

If you have 50'000 "aaaa...aaa" and 50'0000 &a:&a;...&a;, a payload of 200KB expands to more than 2GB in memory

Example 2

An entity could be used to access another file in a unauthorized way. This leads to information disclosure.

<?xml version="1.0"?><!DOCTYPE letter [     <!ENTITY file SYSTEM "/sensitive.txt" >]><tag> &file; </tag>

Example 3

Using the ability of certain parser to access remote resources (see http://www.ibm.com/developerworks/xml/library/x-tipgentity.html), now go figure what happens if the file bigfile.xml is 2GB. This probably leads to a DOS.

<?xml version="1.0"?><!DOCTYPE letter [     <!ENTITY file  SYSTEM "http://www.mysite.com/bigfile.xml" >]><tag> &file; </tag>

Example 4

This recursion will lead to memory exhaust and probably a DOS.

<!ENTITY companyname "Contoso Inc."><!ENTITY divisionname "&companyname; Web Products Division">

If this is schoolwork, then you should also think about how you can protect yourself from such attack.