Re: [xml-dev] XML processor attacks

["derek denny-brown" <zuligag@gmail.com>]

By attribute/name resolution attacks, I meant (a) duplicate attribute
detection and (b) prefix lookup attacks.

Duplicate attribute detection is often implemented as a linear scan,
which equates to O(N^2), algorithm, which makes it 'vulernable'.  If
it is implemented as a hashtable, then the attacker just needs to know
your hash algorithm to also make that O(N^2).

Most parsers I've seen, implement namespace prefix lookup as a scan
over a stack, and thus is O(N^2), as with duplicate attribute
detection.

It is quite hard to actually craft an attack that leverages these
vulnerabilities to do much damage though, since the scans are usually
extremely fast.  The DTD/parameter-entity attack is the only one that
I know of that has worse then O(N^2) overhead.  By limiting the size
of document accepted, you can trivially block any of the O(N^2)
attacks (since it would require a large document for N to get large
enough to really ammount to much).

On 1/30/07, Shlomo Yona <S.Yona@f5.com> wrote:
> Hello,
>
> I am aware of some XXE attacks (tricking the XML processor to access files which should be unauthorized for access, e.g., password files). I think that attacks that are "hidden" in file inclusions or are being referred to from an XML document, also fall into this category.
>
> There is also the famos XML bomb, a recursive definition of attributes designed to cause an XML processor to consume too much memory.
>
> What do you mean by "attribute/name resolution attacks"?
>
> Shlomo
>
> -----Original Message-----
> From: derek denny-brown [mailto:zuligag@gmail.com]
> Sent: ד 31 ינואר 2007 01:20
> To: Shlomo Yona
> Cc: xml-dev@lists.xml.org
> Subject: Re: [xml-dev] XML processor attacks
>
> I have never seen a comprehensive list.  I know that when I was at MS
> and worked on making the parsers robust against DoS attacks, we found
> attacks that we had not seen published.  The only really bad attacks
> are related to entity expansion, as I remember.  A lot of people are
> all paranoid about attribute/name resolution attacks that turn out to
> be comparatively trivial.
>
> On 1/30/07, Shlomo Yona <S.Yona@f5.com> wrote:
> > Hello,
> >
> > I've been googling a lot and was unable to find a summary of XML
> > processor attacks.
> >
> > What I'm looking for is some kind of a list of XML parser/processor
> > attacks, which should be considered when implementing XML standard for
> > creating such processors.
> >
> > Is there such a list?
> >
> > If not, can this be a legitimate discussion on this list?
> >
> > Thanks.
> >
> > Shlomo.
> >
> > _______________________________________________________________________
> >
> > XML-DEV is a publicly archived, unmoderated list hosted by OASIS
> > to support XML implementation and development. To minimize
> > spam in the archives, you must subscribe before posting.
> >
> > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> > Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
> > subscribe: xml-dev-subscribe@lists.xml.org
> > List archive: http://lists.xml.org/archives/xml-dev/
> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> >
> >
>