[WEB SECURITY] Multi Vendor XML parser DOS Details?

Hoffman, Billy billy.hoffman at hp.com
Thu Aug 6 16:20:38 EDT 2009


I haven't seen details about the new attacks. The best stuff I've seen to date was Alex Stamos's preso at Black Hat a few years back about attacking web services which includes a section on DoSing XML parsers.

Billy Hoffman
--
Manager, Web Security Research Group
HP Software
Direct: 770-343-7069


-----Original Message-----
From: Eugene Kuznetsov [mailto:kuznetso at gmail.com] 
Sent: Thursday, August 06, 2009 3:56 PM
To: robert at webappsec.org
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Multi Vendor XML parser DOS Details?

The stuff I saw was the well-known "many open tags, no close tags"
scenario, which is quite a bit simpler than Entity Expansion -- since
parsers have to keep a stack of start elements (usually), one can simply
blow the stack by never closing them, like so:

<foo><foo><foo><foo> ... for megabytes

Many of the basic XML attacks are of this basic type, violating the
assumptions within the parser about what's reasonable input. Hope this
helps. 

				-- Eugene


On Thu, 2009-08-06 at 14:36 -0400, robert at webappsec.org wrote:
> There's been news about a new XML Parser Denial of Service that seems to affect multiple products.
> Unfortunately I haven't seen any technical details as to what the issue is, does anyone
> know what it is exactly?
> 
> I'm thinking one of the following?
> 
> XML Attribute Blowup (WASC TCv2)
> http://projects.webappsec.org/XML-Attribute-Blowup
> 
> XML Entity Expansion (WASC TCv2)
> http://projects.webappsec.org/XML-Entity-Expansion
> 
> Regards,
> - Robert Auger
> WASC Co Founder and Moderator of The Web Security Mailing List
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> http://www.qasec.com/
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list