Protecting against XML Entity Expansion attacks
https://blogs.msdn.microsoft.com/tomholl/2009/05/21/protecting-against-xml-entity-expansion-attacks/
Protecting against XML Entity Expansion attacks
Tom Hollander May 21, 2009
One of the critical responsibilities of every developer and architect is to understand, and know how to prevent, as many kinds of security attacks as possible. While there are many types of attacks and many weapons at our disposal to thwart them, the most basic defence we have is input validation. The rule of thumb really needs to be to assume all input from uncontrolled sources is malicious, unless you can prove otherwise. This includes input from end users, as well as input from other systems.
Recently I worked on an application that received XML files from that most untrustworthy of sources, the Internet. Knowing the kind of people who lurk there, we took what seemed like a responsibly paranoid approach involving validating each parsed document against an XML schema, checking a digital signature to ensure it came from a known sender, and cherry-picking the values we needed out of the document.
So I was quite surprised to learn that there were was a class of attack which we had not mitigated. It turns out that you should never load untrusted XML content into a .NET XmlDocument class as a first step, even if you plan to do all sorts of checks on it afterwards. This is because there is a class of attack which can bring your server to meltdown just by getting it to parse some XML.
Consider this piece of XML:
<!DOCTYPE foo [
<!ENTITY a “1234567890” >
<!ENTITY b “&a;&a;&a;&a;&a;&a;&a;&a;” >
<!ENTITY c “&b;&b;&b;&b;&b;&b;&b;&b;” >
<!ENTITY d “&c;&c;&c;&c;&c;&c;&c;&c;” >
<!ENTITY e “&d;&d;&d;&d;&d;&d;&d;&d;” >
<!ENTITY f “&e;&e;&e;&e;&e;&e;&e;&e;” >
<!ENTITY g “&f;&f;&f;&f;&f;&f;&f;&f;” >
<!ENTITY h “&g;&g;&g;&g;&g;&g;&g;&g;” >
<!ENTITY i “&h;&h;&h;&h;&h;&h;&h;&h;” >
<!ENTITY j “&i;&i;&i;&i;&i;&i;&i;&i;” >
<!ENTITY k “&j;&j;&j;&j;&j;&j;&j;&j;” >
<!ENTITY l “&k;&k;&k;&k;&k;&k;&k;&k;” >
<!ENTITY m “&l;&l;&l;&l;&l;&l;&l;&l;” >
]>
<foo>&m;</foo>
This certainly looks like an odd bit of XML, but at first glance it doesn’t appear overly scary. It’s compact, well-formed and actually only contains one element: <foo>. But what’s in that element? It’s a single custom-defined entity, &m;. And how is that defined? Well, it’s 8 other custom &l; entities. So what’s an &l; then? Hmm, it’s 8 &k;s. You can see where this is going. The document will end up with 812 &a;s, where each &a; has 10 characters, so that innocent looking &m; will blow out to 10×812 or 687,194,767,360 characters. And on my reasonably well spec’ed developer machine, expanding that number of characters consumed all of my CPU for longer than I was prepared to put up with. A bad guy armed with this attack isn’t going to steal any data, but they could still cause a lot of damage through denial of service.
The good news is that it’s actually very easy to stop this entity expansion in its tracks. The key is to use an XmlReader before parsing the document into an XmlDocument (or instead of, if you can live without a fully-parsed document). It’s possible to validate against an XSD or other schema type using an XmlReader too, but here’s a minimalist example showing how you can check that a document is well-formed, contains no DTDs (and hence no entity definitions) and is less than 10K in size:
// Prepare text reader and settings for Xml Validation
StringReader textReader = new StringReader(unparsedXml);
XmlReaderSettings settings = new XmlReaderSettings();
settings.XmlResolver = null;
settings.MaxCharactersInDocument = 10000;
// Successfully parse the file, otherwise an XmlException is to be thrown
XmlReader reader = XmlReader.Create(textReader, settings);
while (reader.Read()) ;
If you get to this point without an XmlException being thrown, the document should be safe to parse. Of course, there could be all sorts of evil things lurking within the elements of the document, so you need to continue to use appropriate validation and encoding as you would for any untrusted input.
Protecting against XML Entity Expansion attacks的更多相关文章
- ibatis提示Unable to load embedded resource from assembly "Entity.Ce_SQL.xml,Entity".
原本以为是xml文件配置错误,尝试无果,最终原因未将xml文件的生成操作选择为嵌入的资源.很无语!
- XML 实体扩展攻击
XMl Entity Expansion(攻击)某种程度上类似于 XML Entity Expansion,但是它主要试图通过消耗目标程序的服务器环境来进行DOS攻击的.这种攻击基于XML Entit ...
- XEE介绍
摘要: XMl Entity Expansion(攻击)某种程度上类似于 XML Entity Expansion,但是它主要试图通过消耗目标程序的服务器环境来进行DOS攻击的.这种攻击基于XML E ...
- List of XML and HTML character entity references
A character entity reference refers to the content of a named entity. An entity declaration is creat ...
- XML External Entity attack/XXE攻击
XML External Entity attack/XXE攻击 1.相关背景介绍 可扩展标记语言(eXtensible Markup Language,XML)是一种标记语言,被设计用来传输和存 ...
- XXE (XML External Entity Injection) 外部实体注入漏洞案例分析
ENTITY 实体 在一个甚至多个XML文档中频繁使用某一条数据,我们可以预先定义一个这条数据的“别名”,即一个ENTITY,然后在这些文档中需要该数据的地方调用它. XML定义了两种类型的ENTIT ...
- 【译】Attacking XML with XML External Entity Injection (XXE)
原文链接:Attacking XML with XML External Entity Injection (XXE) XXE:使用XML外部实体注入攻击XML 在XML中,有一种注入外部文件的方式. ...
- Play XML Entities
链接:https://pentesterlab.com/exercises/play_xxe/course Introduction This course details the exploitat ...
- XML文件解析之SAX解析
使用DOM解析的时候是需要把文档的所有内容读入内存然后建立一个DOM树结构,然后通过DOM提供的接口来实现XML文件的解析,如果文件比较小的时候肯定是很方便的.但是如果是XML文件很大的话,那么这种方 ...
随机推荐
- eclipse编辑jsp保存的时候特别卡解决办法
今天eclipse用着用着的时候,每次编辑jsp页面快捷键保存的时候要等半天才保存好,特别的卡.搞的很蛋疼.上网搜了下有解决办法 Window -> Preference -> Gener ...
- Windows10的革命之路-全新UWP开发平台
众所周知,最近几年,微软一直在操作系统上进行统一化的尝试.第一次尝试的产品——Windows 8/8.1操作系统完全谈不上成功.请看下图: 我个人认为,这并不意味着操作系统统一化的策略是错误的,只能算 ...
- Oracle 收缩数据文件
Oracle数据库中当某些大数据表不再需要的时候,我们可以通过以下方式来进行清理: DROP TABLE TBL_TEST PURGE; 但是对应表空间(tablespace)中的磁盘空间并没有得到释 ...
- XML通过XSL格式化的那点事(XML到自定义节点折叠显示)
引言 有时我们想看下系统生成的XML文件(如XML格式的Project文件),如果文件结构简单,我们浏览器看起来还比较方便,但是随着XML schema复杂后就变得让人头疼啦,单独写一个程序去做展现又 ...
- java设计模式之备忘录模式
备忘录模式 备忘录模式是一种软件设计模式:在不破坏封闭的前提下,捕获一个对象的内部状态,并在该对象之外保存这个状态.这样以后就可将该对象恢复到原先保存的状态.一听到备忘录这个字的时候想起了小小时打的游 ...
- 洛谷P1991无线通讯网[kruskal | 二分答案 并查集]
题目描述 国防部计划用无线网络连接若干个边防哨所.2 种不同的通讯技术用来搭建无线网络: 每个边防哨所都要配备无线电收发器:有一些哨所还可以增配卫星电话. 任意两个配备了一条卫星电话线路的哨所(两边都 ...
- POJ1962Corporative Network[带权并查集]
Corporative Network Time Limit: 3000MS Memory Limit: 30000K Total Submissions: 3945 Accepted: 14 ...
- What is a RaycastHit normal?
The normal is the direction pointing away from the collider it hits. http://answers.unity3d.com/ques ...
- Confluence Wiki -- 页面限制
Confluence Wiki 中 [页面设置] 应该如何理解? 当一个用户有这个权限后,这个用户可以对一个页面做限制,可以限制这个页面不能被其他用户浏览或编辑: 反之,如果没有这个权限,那么这个用户 ...
- iOS修改TextField占位符颜色大小
UITextField *addCtrolField = [[UITextField alloc]initWithFrame:CGRectMake(CGRectGetMaxX(rightTitleLa ...