[WEB SECURITY] Multi Vendor XML parser DOS Details?

Bhalla, Nishchal nish at securitycompass.com
Thu Aug 6 17:20:31 EDT 2009


Just to echo Steve's comment, Sahba Kazerooni also presented something similar a few years back at Blackhat Europe around this and other web services attack.

-----Original Message-----
From: Steven M. Christey [mailto:coley at linus.mitre.org] 
Sent: Thursday, August 06, 2009 4:55 PM
To: Hoffman, Billy
Cc: kuznetso at alum.mit.edu; robert at webappsec.org; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Multi Vendor XML parser DOS Details?


On Thu, 6 Aug 2009, Hoffman, Billy wrote:

> I haven't seen details about the new attacks. The best stuff I've seen
> to date was Alex Stamos's preso at Black Hat a few years back about
> attacking web services which includes a section on DoSing XML parsers.

There typically seems to be a multi-year delay between when something's
presented at Black Hat (or equivalent) and when it reaches some critical
mass for common exploitation.  Just some food for thought for people who
like to plan ahead.

- Steve

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list