Problem solve Get help with specific problems with your technologies, process and projects.

XML security: Preventing XML bombs

With the use of Web services, XML security becomes increasingly important. Web services expert Rami Jaamour explains the damage an XML bomb can do and how to protect against it.

What is an XML bomb and how do I protect my Web service against it?
An XML bomb is a dangerous XML message that can be crafted by a malicious user. It could be sent by a service consumer (a client) as a request message to a Web service provider (a server) in order to cause a denial-of-service DoS attack. An XML bomb exploits Document Type Definition (DTD) processing functionality in XML parsers -- the software that parses an XML message -- by causing them to process an exponentially growing amount of data. A DoS attack could certainly be mounted by sending a message that is large in size to the service if the service is not configured to reject such messages. However, an XML bomb is actually a small XML message that is created in a way that makes the XML content grow only as it gets processed by the XML parser. Here is an example of an XML bomb:

<?xml version="1.0" encoding="UTF-8"?>
  <!ATTLIST SOAP-ENV:Envelope entityReference CDATA #IMPLIED>
  <!ENTITY x0 "foo">
  <!ENTITY x1 "&x0;&x0;" >
  <!ENTITY x2 "&x1;&x1;" >
  <!ENTITY x98 "&x97;&x97;" >
  <!ENTITY x99 "&x98;&x98;" >
] >
<SOAP:Envelope entityReference="&x99;" xmlns:SOAP="">
  <keyword xmlns="urn:parasoft:ws:store">foo</keyword>
When a Web service receives such a message, and if the XML parser has DTD processing enabled, then it will cause the server to expand the entity reference x99;. This reference is defined in the DTD section which comes with the message (highlighted in red) to be equal to &x98; repeated twice, which is in turn defined as &x97; repeated twice and so on all the way to x0. In other words:

x0 = "foo"
x1 = "foofoo"
x2 = "foofoofoofoo"
x99 = "foofoofoofoofoo…foo" or "foo" repeated
      299 = 633825300114114700748351602688
As the service expands the value of x, the size of the string containing the concatenated words "foo" reaches exponential levels, which causes it to quickly consume the server memory that is allocated to the application. Such exhaustion of the server resources causes a DoS, as other legitimate requests would not be processed while the server is busy concatenating useless "foo" strings.

To protect against such attacks, be sure to either use known commercial or open-source SOAP stacks that disallows DTDs, such as Apache Axis, or that ship as part of application server frameworks, such as .NET, WebLogic, WebSphere, etc. You can also disable DTD parsing in your XML parser. Certainly, adopting standards-based packages is often more secure than implementing things on your own.

Dig Deeper on Topics Archive