OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
RE: [xml-dev] XML processor attacks

Title: RE: [xml-dev] XML processor attacks

Thanks for the details.

I don't seem to understand the O(N^2) part.
Can you specify on this bound?
I don't understand how this bound can be reached with a stack implementation.



-----Original Message-----
From: derek denny-brown [mailto:zuligag@gmail.com]
Sent: Wed 1/31/2007 10:10 AM
To: Shlomo Yona
Cc: xml-dev@lists.xml.org
Subject: Re: [xml-dev] XML processor attacks

By attribute/name resolution attacks, I meant (a) duplicate attribute
detection and (b) prefix lookup attacks.

Duplicate attribute detection is often implemented as a linear scan,
which equates to O(N^2), algorithm, which makes it 'vulernable'.  If
it is implemented as a hashtable, then the attacker just needs to know
your hash algorithm to also make that O(N^2).

Most parsers I've seen, implement namespace prefix lookup as a scan
over a stack, and thus is O(N^2), as with duplicate attribute

It is quite hard to actually craft an attack that leverages these
vulnerabilities to do much damage though, since the scans are usually
extremely fast.  The DTD/parameter-entity attack is the only one that
I know of that has worse then O(N^2) overhead.  By limiting the size
of document accepted, you can trivially block any of the O(N^2)
attacks (since it would require a large document for N to get large
enough to really ammount to much).

On 1/30/07, Shlomo Yona <S.Yona@f5.com> wrote:
> Hello,
> I am aware of some XXE attacks (tricking the XML processor to access files which should be unauthorized for access, e.g., password files). I think that attacks that are "hidden" in file inclusions or are being referred to from an XML document, also fall into this category.
> There is also the famos XML bomb, a recursive definition of attributes designed to cause an XML processor to consume too much memory.
> What do you mean by "attribute/name resolution attacks"?
> Shlomo
> -----Original Message-----
> From: derek denny-brown [mailto:zuligag@gmail.com]
> Sent: ? 31 ????? 2007 01:20
> To: Shlomo Yona
> Cc: xml-dev@lists.xml.org
> Subject: Re: [xml-dev] XML processor attacks
> I have never seen a comprehensive list.  I know that when I was at MS
> and worked on making the parsers robust against DoS attacks, we found
> attacks that we had not seen published.  The only really bad attacks
> are related to entity expansion, as I remember.  A lot of people are
> all paranoid about attribute/name resolution attacks that turn out to
> be comparatively trivial.
> On 1/30/07, Shlomo Yona <S.Yona@f5.com> wrote:
> > Hello,
> >
> > I've been googling a lot and was unable to find a summary of XML
> > processor attacks.
> >
> > What I'm looking for is some kind of a list of XML parser/processor
> > attacks, which should be considered when implementing XML standard for
> > creating such processors.
> >
> > Is there such a list?
> >
> > If not, can this be a legitimate discussion on this list?
> >
> > Thanks.
> >
> > Shlomo.
> >
> > _______________________________________________________________________
> >
> > XML-DEV is a publicly archived, unmoderated list hosted by OASIS
> > to support XML implementation and development. To minimize
> > spam in the archives, you must subscribe before posting.
> >
> > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> > Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
> > subscribe: xml-dev-subscribe@lists.xml.org
> > List archive: http://lists.xml.org/archives/xml-dev/
> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> >
> >

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS