Description

The software requires the use of XML documents and allows their structure to be defined with a Document Type Definition (DTD). The software allows the DTD to recursively define entities which can lead to explosive growth of data when parsed.

Likelihood of Exploit: Low to Medium

Applicable Platforms
Language: XML

Time Of Introduction

• Implementation
• Operation

Common Consequences

Detection Methods
None

Potential Mitigations

Relationships

Demonstrative Examples   (Details)

1. The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected. (Demonstrative Example Id DX-53)

Observed Examples

1. CVE-2009-1955 : XML bomb in web server module
2. CVE-2003-1564 : Parsing library allows XML bomb

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

References:

1. Amit Klein .Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD. 2002-12-16.
2. Rami Jaamour .XML security: Preventing XML bombs. 2006-02-22.
3. Didier Stevens .Dismantling an XML-Bomb. 2008-09-23.
4. Robert Auger .XML Entity Expansion.
5. Elliotte Rusty Harold .Tip: Configure SAX parsers for secure processing. 2005-05-27.
6. ..