[WEB SECURITY] Multi Vendor XML parser DOS Details?

Steve Orrin sorrin at ix.netcom.com
Fri Aug 7 12:51:16 EDT 2009


You can also check out my Defcon speech from 2007 that covers several XML based DoS attacks with examples. (http://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-orrin.pdf). Based on the available information, I am not seeing anything really new with this announcement.
-Steve

-----Original Message-----
>From: "Hoffman, Billy" <billy.hoffman at hp.com>
>Sent: Aug 6, 2009 1:20 PM
>To: "kuznetso at alum.mit.edu" <kuznetso at alum.mit.edu>, "robert at webappsec.org" <robert at webappsec.org>
>Cc: "websecurity at webappsec.org" <websecurity at webappsec.org>
>Subject: RE: [WEB SECURITY] Multi Vendor XML parser DOS Details?
>
>I haven't seen details about the new attacks. The best stuff I've seen to date was Alex Stamos's preso at Black Hat a few years back about attacking web services which includes a section on DoSing XML parsers.
>
>Billy Hoffman
>--
>Manager, Web Security Research Group
>HP Software
>Direct: 770-343-7069
>
>
>-----Original Message-----
>From: Eugene Kuznetsov [mailto:kuznetso at gmail.com] 
>Sent: Thursday, August 06, 2009 3:56 PM
>To: robert at webappsec.org
>Cc: websecurity at webappsec.org
>Subject: Re: [WEB SECURITY] Multi Vendor XML parser DOS Details?
>
>The stuff I saw was the well-known "many open tags, no close tags"
>scenario, which is quite a bit simpler than Entity Expansion -- since
>parsers have to keep a stack of start elements (usually), one can simply
>blow the stack by never closing them, like so:
>
><foo><foo><foo><foo> ... for megabytes
>
>Many of the basic XML attacks are of this basic type, violating the
>assumptions within the parser about what's reasonable input. Hope this
>helps. 
>
>				-- Eugene
>
>
>On Thu, 2009-08-06 at 14:36 -0400, robert at webappsec.org wrote:
>> There's been news about a new XML Parser Denial of Service that seems to affect multiple products.
>> Unfortunately I haven't seen any technical details as to what the issue is, does anyone
>> know what it is exactly?
>> 
>> I'm thinking one of the following?
>> 
>> XML Attribute Blowup (WASC TCv2)
>> http://projects.webappsec.org/XML-Attribute-Blowup
>> 
>> XML Entity Expansion (WASC TCv2)
>> http://projects.webappsec.org/XML-Entity-Expansion
>> 
>> Regards,
>> - Robert Auger
>> WASC Co Founder and Moderator of The Web Security Mailing List
>> http://www.webappsec.org/
>> http://www.cgisecurity.com/
>> http://www.qasec.com/
>> 
>> 
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>> 
>> Have a question? Search The Web Security Mailing List Archives: 
>> http://www.webappsec.org/lists/websecurity/archive/
>> 
>> Subscribe via RSS: 
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>> 
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>
>
>----------------------------------------------------------------------------
>Join us on IRC: irc.freenode.net #webappsec
>
>Have a question? Search The Web Security Mailing List Archives: 
>http://www.webappsec.org/lists/websecurity/archive/
>
>Subscribe via RSS: 
>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>Join WASC on LinkedIn
>http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>----------------------------------------------------------------------------
>Join us on IRC: irc.freenode.net #webappsec
>
>Have a question? Search The Web Security Mailing List Archives:
>http://www.webappsec.org/lists/websecurity/archive/
>
>Subscribe via RSS:
>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>Join WASC on LinkedIn
>http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list