[WEB SECURITY] Multi Vendor XML parser DOS Details?

Steven M. Christey coley at linus.mitre.org
Thu Aug 6 16:53:21 EDT 2009

On Thu, 6 Aug 2009, Eugene Kuznetsov wrote:

> The stuff I saw was the well-known "many open tags, no close tags"
> scenario, which is quite a bit simpler than Entity Expansion -- since
> parsers have to keep a stack of start elements (usually), one can simply
> blow the stack by never closing them, like so:
> <foo><foo><foo><foo> ... for megabytes
> Many of the basic XML attacks are of this basic type, violating the
> assumptions within the parser about what's reasonable input. Hope this
> helps.

In CVE, we've been capturing both entity expansion and the attack above
over the past couple of months.  I have a feeling that we're going to run
into a lot of these for browsers - so web app people should test their own
parser libraries for equivalent problems.

In the foo example above, what I'm not clear on is whether having closing
tags will still produce the same DoS.  The main problem might be the lack
of control of deep nesting, so some parsing schemes may run out of stack
or exceed internal buffers before they even notice whether there's a
closing tag or not - but I'm no expert on parsing.

- Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list