tags:

views:

185

answers:

3
+1  Q: 

coercive parsing attack

when studying about xml vulnerabilities , i came accross coercive parsing attack. can anybody say what exactly is Coercive parsing attack(in SOA applications). How does the attack take place? How can one implement this attack using xml parser in java?

A: 

Because web services need to consume messages and XML documents it is possible to create XML documents which may strain the consuming systems as they try to validate and route it. Send enough of those documents at once and the consuming system may use up all its resources trying to work out if the messages are good or not and reject valid messages. Usually you do it by constructing a message with an insanely deep nesting structure, or even recursive nesting.

You'll implement it by constructing such a document and sending it off to the web service.

blowdart  2009-11-25 09:38:27
how much percentage the attack can harm the consuming system>is there any solution to such an attack?
Rohit  2009-11-25 09:42:27
Depends on the system, and what it's doing to the document. Validate the document via XSD before parsing, and keep the parsing simple.
blowdart  2009-11-25 10:31:22
A: 

Generally applications use document type definitions(DTDs) for backward compatibility.
XML definitions allow the use of element "CDATA" which allows illegal characters '<','&'.
All text in an xml document will be parsed by parser. But text inside te cdata section will be ignored by parsers which allows the attackers to send possible system commands to the underlying systems and can sneak in system commands that could potentially be disastrous, they could allow the attaker to manipulate the host with a series of commands.
 They could also be used for injection attacks like xpath injection attacks.

Madhan  2009-11-25 09:55:12
+1  A: 

For an example implementation of this attack, see the "Billion Laughs Attack."

For a full discussion of the attack, how to test for it, and basic defenses, see the "Web Security Testing Cookbook" recipe on Malicious XML. (Free Google Preview - it's only 3 pages). An excerpt:

"This billion laughs attack abuses the tendency of many XML parsers to keep the entire structure of the XML document in memory as it is parsed ... enough to exhaust a vulnerable program's available memory."

Here's a few other resources:

http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html

http://en.wikipedia.org/wiki/Billion%5Flaughs

Ben Walther  2009-11-29 05:45:28

related questions

Load an XmlNodeList into an XmlDocument without looping?
Does System.Xml use MSXML?
Using an XML catalog with Python's lxml?
Why Are People Still Creating RSS Feeds?
Pretty printing XML files on Emacs
Application configuration files
What is the best XML editor?
How much extra overhead is generated when sending a file over a web service as a byte array?
XPATHS and Default Namespaces
How to parse XML in VBA
Small modification to an XML document using StAX
how to use xpath in python
Best binary XML format for JavaME
How can I split an XML document into thirds (or, even better, n pieces)?
Test serialization encoding
Is it "bad practice" to be sensitive to linebreaks in XML documents?
HTML comments break down
Authoritative source on XML-sig
Best way to get InnerXml of an XElement?
HTML version choice
SQL 2005 For XML Explicit - Need help formatting
Any experiences with Protocol Buffers?
XML Editing/Viewing Software
XML Processing in Python
Converting CSV File to XML in Java