views:

185

answers:

3

when studying about xml vulnerabilities , i came accross coercive parsing attack. can anybody say what exactly is Coercive parsing attack(in SOA applications). How does the attack take place? How can one implement this attack using xml parser in java?

A: 

Because web services need to consume messages and XML documents it is possible to create XML documents which may strain the consuming systems as they try to validate and route it. Send enough of those documents at once and the consuming system may use up all its resources trying to work out if the messages are good or not and reject valid messages. Usually you do it by constructing a message with an insanely deep nesting structure, or even recursive nesting.

You'll implement it by constructing such a document and sending it off to the web service.

blowdart
how much percentage the attack can harm the consuming system>is there any solution to such an attack?
Rohit
Depends on the system, and what it's doing to the document. Validate the document via XSD before parsing, and keep the parsing simple.
blowdart
A: 

Generally applications use document type definitions(DTDs) for backward compatibility.
XML definitions allow the use of element "CDATA" which allows illegal characters '<','&'.
All text in an xml document will be parsed by parser. But text inside te cdata section will be ignored by parsers which allows the attackers to send possible system commands to the underlying systems and can sneak in system commands that could potentially be disastrous, they could allow the attaker to manipulate the host with a series of commands.
They could also be used for injection attacks like xpath injection attacks.

Madhan
+1  A: 

For an example implementation of this attack, see the "Billion Laughs Attack."

For a full discussion of the attack, how to test for it, and basic defenses, see the "Web Security Testing Cookbook" recipe on Malicious XML. (Free Google Preview - it's only 3 pages). An excerpt:

"This billion laughs attack abuses the tendency of many XML parsers to keep the entire structure of the XML document in memory as it is parsed ... enough to exhaust a vulnerable program's available memory."

Here's a few other resources:

http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html

http://en.wikipedia.org/wiki/Billion%5Flaughs

Ben Walther