Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) |
Attack Pattern ID: 82 (Standard Attack Pattern Completeness: Complete) | Typical Severity: Very High | Status: Draft |
Summary
XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets.
There are three primary attack vectors that XDoS can navigate
Target CPU through recursion: attacker creates a recursive payload and sends to service provider
Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects.
XML Ping of death: attack service provider with numerous small files that clog the system.
All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
Attacker must be able to send a malicious XML payload to host, such as SOAP or REST web service.
Description
Several commercial XML parsers were found to be vulnerable to XDoS through XML recursion attacks. The code fragment below is self-referencing and can result in the parser exhausting all CPU and/or memory available to it.
By the time the service provider validatesthe DTD elements it is too late, because the validation routines references itself. SOAP messages are no longer allowed to accept DTDs, however there is nothing to stop developers of other applications or custom SOAP implementations from bypassing this concern.
Skill or Knowledge Level: Low
Crafting malicious XML content and injecting it through standard interfaces
Design: Utilize a Security Pipeline Interface (SPI) to mediate communications between service requester and service provider The SPI should be designed to throttle up and down and handle a variety of payloads.
Design: Utilize clustered and fail over techniques, leverage network transports to provide availability such as HTTP load balancers
Implementation: Check size of XML message before parsing
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Category | 119 | Resource Depletion | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 99 | XML Parser Attack | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 147 | XML Ping of Death | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 197 | XEE (XML Entity Expansion) | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 229 | XML Attribute Blowup | Mechanism of Attack (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submitter | Date | Comments | ||
Gunnar Peterson | 2007-02-28 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Sean Barnum | Cigital, Inc | 2007-03-07 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name | ||
Sean Barnum | Cigital, Inc | 2007-04-16 | Modified pattern content according to review and feedback |