[WEB SECURITY] Multi Vendor XML parser DOS Details?

Eugene Kuznetsov kuznetso at gmail.com
Thu Aug 6 15:56:15 EDT 2009


The stuff I saw was the well-known "many open tags, no close tags"
scenario, which is quite a bit simpler than Entity Expansion -- since
parsers have to keep a stack of start elements (usually), one can simply
blow the stack by never closing them, like so:

<foo><foo><foo><foo> ... for megabytes

Many of the basic XML attacks are of this basic type, violating the
assumptions within the parser about what's reasonable input. Hope this
helps. 

				-- Eugene


On Thu, 2009-08-06 at 14:36 -0400, robert at webappsec.org wrote:
> There's been news about a new XML Parser Denial of Service that seems to affect multiple products.
> Unfortunately I haven't seen any technical details as to what the issue is, does anyone
> know what it is exactly?
> 
> I'm thinking one of the following?
> 
> XML Attribute Blowup (WASC TCv2)
> http://projects.webappsec.org/XML-Attribute-Blowup
> 
> XML Entity Expansion (WASC TCv2)
> http://projects.webappsec.org/XML-Entity-Expansion
> 
> Regards,
> - Robert Auger
> WASC Co Founder and Moderator of The Web Security Mailing List
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> http://www.qasec.com/
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list