xml vulnerabilities

Question

xml has been the backbone of the service oriented application(SOA) and it will be a useful one in the coming future. As xml is easy , flexible, it can be easily made vulnerable

Answer 1

First we need to distinguish the effect of attack from the feature that is exploited.

Particular features of XML that can be exploited are

• XML entities
• Proprietary extension of parser and validator
• Cyclic/recursive references
• Remote access

The effects can be either

• DOS
• Information disclosure

I don't think there is percise definition of a "bomb", but it refers to an attack that is particularly "compact" and which "expands". A "coercive parsing attack" exploits the nature of the XML model to overwhelm the parser.

The examples below are taken from XML Denial of Service Attacks and Defenses. Also, if you understand french, read the excellent magazine "La security des web services".

Example 1

A bomb using entities which result in a DOS because it exhausts the memory

]>
&a;&a;&a;&a;&a;&a;&a;&a;&a;...

If you have 50'000 "aaaa...aaa" and 50'0000 &a:&a;...&a;, a payload of 200KB expands to more than 2GB in memory

Example 2

An entity could be used to access another file in a unauthorized way. This leads to information disclosure.

]>
 &file; 

Example 3

Using the ability of certain parser to access remote resources (see http://www.ibm.com/developerworks/xml/library/x-tipgentity.html), now go figure what happens if the file bigfile.xml is 2GB. This probably leads to a DOS.

]>
 &file; 

Example 4

This recursion will lead to memory exhaust and probably a DOS.

If this is schoolwork, then you should also think about how you can protect yourself from such attack.