Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

XML bomb resurfaces

4:17 pm on Sep 8, 2009 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 29, 2003
votes: 0

In the XML world, there was a famous vulnerability discovered by Amit Klein back in 2002 which used recursion in DTD's (Document Type Definitions) in order to create a Denial-of-Service attack on an XML parser. The attack involved a cleverly crafted DTD which was designed to expand greatly in memory when parsed, using recursion, earning it the name "XML Bomb".
source [soa.sys-con.com]

The bomb was discovered, then defused by a couple of patches issued by IBM and Microsoft. So, problem solved, right?

it cropped up again last week ...[snip]...Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation, Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them. ...[snip]... Some XML libraries are still naively consuming DTDs and falling victim to recursion attacks.
(same source)

The vulnerability surfaces in situations where your app accepts and parses XML without blocking inline DTDs. For example, a request to a SOAP web service, or an API that accepts XML as an input parameter.