XML Bomb

Posted 2021-04-25 信息安全club

Wednesday , security topic again. we'd talked about XXE a while back, today let's look into another famous XML related vulnerability, XML bomb.

(I'm posting some English articles in case Ruly wants to read them)

01

—

Introduction

An XML bomb is a message composed and sent with the intent of overloading an XML parser (typically HTTP server). XML bombs exploit the fact that XML allows defining of entities. For example, let entityOne be defined as of 20 entityTwo's, which themselves are defined as 20 entityThree's. If we continue in the same pattern until entityEight, the XML parser will unfold a single occurence of entityOne to 1 280 000 000 entityEight's — taking up 5 GiB of memory. The ultimate goal of the attack is to deny service to a (web) application.

02

—

Typical real-world attack

The following XML will deny service to, and possible crash, a vulnerable server:

The triggering entity, which in this case is &lol9;, is usually inserted into a parameter of a request.

03

—

Protection

How do you protect your application from an exploding XML-bomb?If you don’t need support for DTDs, just disable DTDs or use a parser without DTD support.If you need support for DTDs, try to prevent XML-bombs from entering your XML-parser by known-pattern scanning (like classic antivirus software does, for example an application firewall) or limit the impact of an expanding XML-bomb by hardening your XML-parser by restricting its consumption of resources.You’re aware of the limitations of known-pattern scanning. This is a text-book XML-bomb, with exponential growth finding its origin in the binary tree structure. But there are many other data type structures …

so, what did we do to make our application XML-bomb-free? I'll tell you in person