https://blogs.msdn.microsoft.com/tomholl/2009/05/21/protecting-against-xml-entity-expansion-attacks/

Protecting against XML Entity Expansion attacks

Tom Hollander May 21, 2009

One of the critical responsibilities of every developer and architect is to understand, and know how to prevent, as many kinds of security attacks as possible. While there are many types of attacks and many weapons at our disposal to thwart them, the most basic defence we have is input validation. The rule of thumb really needs to be to assume all input from uncontrolled sources is malicious, unless you can prove otherwise. This includes input from end users, as well as input from other systems.

Recently I worked on an application that received XML files from that most untrustworthy of sources, the Internet. Knowing the kind of people who lurk there, we took what seemed like a responsibly paranoid approach involving validating each parsed document against an XML schema, checking a digital signature to ensure it came from a known sender, and cherry-picking the values we needed out of the document.

So I was quite surprised to learn that there were was a class of attack which we had not mitigated. It turns out that you should never load untrusted XML content into a .NET XmlDocument class as a first step, even if you plan to do all sorts of checks on it afterwards. This is because there is a class of attack which can bring your server to meltdown just by getting it to parse some XML.

Consider this piece of XML:

<!DOCTYPE foo [

<!ENTITY a “1234567890” >

<!ENTITY b “&a;&a;&a;&a;&a;&a;&a;&a;” >

<!ENTITY c “&b;&b;&b;&b;&b;&b;&b;&b;” >

<!ENTITY d “&c;&c;&c;&c;&c;&c;&c;&c;” >

<!ENTITY e “&d;&d;&d;&d;&d;&d;&d;&d;” >

<!ENTITY f “&e;&e;&e;&e;&e;&e;&e;&e;” >

<!ENTITY g “&f;&f;&f;&f;&f;&f;&f;&f;” >

<!ENTITY h “&g;&g;&g;&g;&g;&g;&g;&g;” >

<!ENTITY i “&h;&h;&h;&h;&h;&h;&h;&h;” >

<!ENTITY j “&i;&i;&i;&i;&i;&i;&i;&i;” >

<!ENTITY k “&j;&j;&j;&j;&j;&j;&j;&j;” >

<!ENTITY l “&k;&k;&k;&k;&k;&k;&k;&k;” >

<!ENTITY m “&l;&l;&l;&l;&l;&l;&l;&l;” >

]>

<foo>&m;</foo>

This certainly looks like an odd bit of XML, but at first glance it doesn’t appear overly scary. It’s compact, well-formed and actually only contains one element: <foo>. But what’s in that element? It’s a single custom-defined entity, &m;. And how is that defined? Well, it’s 8 other custom &l; entities. So what’s an &l; then? Hmm, it’s 8 &k;s. You can see where this is going. The document will end up with 812 &a;s, where each &a; has 10 characters, so that innocent looking &m; will blow out to 10×812 or 687,194,767,360 characters. And on my reasonably well spec’ed developer machine, expanding that number of characters consumed all of my CPU for longer than I was prepared to put up with. A bad guy armed with this attack isn’t going to steal any data, but they could still cause a lot of damage through denial of service.

The good news is that it’s actually very easy to stop this entity expansion in its tracks. The key is to use an XmlReader before parsing the document into an XmlDocument (or instead of, if you can live without a fully-parsed document). It’s possible to validate against an XSD or other schema type using an XmlReader too, but here’s a minimalist example showing how you can check that a document is well-formed, contains no DTDs (and hence no entity definitions) and is less than 10K in size:

// Prepare text reader and settings for Xml Validation

StringReader textReader = new StringReader(unparsedXml);

XmlReaderSettings settings = new XmlReaderSettings();

settings.XmlResolver = null;

settings.MaxCharactersInDocument = 10000;

// Successfully parse the file, otherwise an XmlException is to be thrown

XmlReader reader = XmlReader.Create(textReader, settings);

while (reader.Read()) ;

If you get to this point without an XmlException being thrown, the document should be safe to parse. Of course, there could be all sorts of evil things lurking within the elements of the document, so you need to continue to use appropriate validation and encoding as you would for any untrusted input.

Protecting against XML Entity Expansion attacks的更多相关文章

  1. ibatis提示Unable to load embedded resource from assembly "Entity.Ce_SQL.xml,Entity".

    原本以为是xml文件配置错误,尝试无果,最终原因未将xml文件的生成操作选择为嵌入的资源.很无语!

  2. XML 实体扩展攻击

    XMl Entity Expansion(攻击)某种程度上类似于 XML Entity Expansion,但是它主要试图通过消耗目标程序的服务器环境来进行DOS攻击的.这种攻击基于XML Entit ...

  3. XEE介绍

    摘要: XMl Entity Expansion(攻击)某种程度上类似于 XML Entity Expansion,但是它主要试图通过消耗目标程序的服务器环境来进行DOS攻击的.这种攻击基于XML E ...

  4. List of XML and HTML character entity references

    A character entity reference refers to the content of a named entity. An entity declaration is creat ...

  5. XML External Entity attack/XXE攻击

    XML External Entity attack/XXE攻击   1.相关背景介绍 可扩展标记语言(eXtensible Markup Language,XML)是一种标记语言,被设计用来传输和存 ...

  6. XXE (XML External Entity Injection) 外部实体注入漏洞案例分析

    ENTITY 实体 在一个甚至多个XML文档中频繁使用某一条数据,我们可以预先定义一个这条数据的“别名”,即一个ENTITY,然后在这些文档中需要该数据的地方调用它. XML定义了两种类型的ENTIT ...

  7. 【译】Attacking XML with XML External Entity Injection (XXE)

    原文链接:Attacking XML with XML External Entity Injection (XXE) XXE:使用XML外部实体注入攻击XML 在XML中,有一种注入外部文件的方式. ...

  8. Play XML Entities

    链接:https://pentesterlab.com/exercises/play_xxe/course Introduction This course details the exploitat ...

  9. XML文件解析之SAX解析

    使用DOM解析的时候是需要把文档的所有内容读入内存然后建立一个DOM树结构,然后通过DOM提供的接口来实现XML文件的解析,如果文件比较小的时候肯定是很方便的.但是如果是XML文件很大的话,那么这种方 ...

随机推荐

  1. linux 排序命令sort

    sort [选项] [文件] 选项: -b:忽略每行前面开始出的空格字符: -c:检查文件是否已经按照顺序排序: -d:排序时,处理英文字母.数字及空格字符外,忽略其他的字符: -f:排序时,将小写字 ...

  2. 使用GDB调试程序

    GDB(GNU Debuger)是Linux中的一个功能强大的调试器.GDB可以让你查看程序的内部结构,打印变量值,设置断点,单步调试源码,运行时修改变量值,路径跟踪,线程切换,显示汇编代码等. 编译 ...

  3. 别踩白块儿游戏源码Android版

    这个项目有带说明文档,大家可以看看源码附件的说明文档吧,“别踩白块儿”是目前非常火的一款游戏,游戏非常简单刺激.关于具体怎么火法怎么玩我就不多说了,相信看到本文的朋友们都非常地清楚. 什么游戏火,我们 ...

  4. python3使用pyqt5制作一个超简单浏览器

    我们使用的是QWebview模块,这里也主要是展示下QWebview的用法. 之前在网上找了半天的解析网页的内容,都不是很清楚. 这是核心代码: webview = Qwebview() webvie ...

  5. Jenkins学习三:介绍一些Jenkins的常用功能

    Jenkins其实就是一个工具,这个工具的作用就是调用各种其他的工具来达成你的目的. 1.备份.迁移.恢复jenkins 首先找到JENKINS_HOME,因为Jenkins的所有的数据都是以文件的形 ...

  6. SharePoint 2013常用开发工具分享

    众所周知,一款好的开发工具不仅能提高项目开发效率,而且能够协助开发人员简化开发流程.本文汇总几款SharePoint 2013开发常用开发工具,希望能够对大家有所帮助.如果您有更好的工具,没有包含在本 ...

  7. Python-09-paramiko模块

    开发堡垒机之前,先来学习一下Python的paramiko模块,该模块基于SSH用于连接远程服务器并执行相关操作. SSHClient 用于连接远程服务器并执行基本命令 基于用户名密码连接 impor ...

  8. js实现弹框及自动关闭

    <SCRIPT LANGUAGE="javascript"> < !-- window.open (''page.html'',''newwindow'',''h ...

  9. 如何重新划分linux分区大小

    1.下载脚本文件,将脚本文件内容复制 chmod +x resize.sh sudo ./resize.sh 输入上面命令后会看到下面的结果 root@odroid:~# sudo ./resize. ...

  10. 我也来写:数据库访问类DBHelper

    一.前言 相信许多人都百度过:“.net 数据库访问类”.然后就出来一大堆SqlHelper.我也用过这些SqlHelper,也自己写过,一堆静态方法,开始使用起来感觉很不错,它们也确实在很多时候可以 ...