tags:

views:

220

answers:

3
+6  Q: 

billion laughs - DoS attack 

<!DOCTYPE root [
 <!ENTITY ha "Ha !">
 <!ENTITY ha2 "&ha; &ha;">
 <!ENTITY ha3 "&ha2; &ha2;">
 <!ENTITY ha4 "&ha3; &ha3;">
 <!ENTITY ha5 "&ha4; &ha4;">
 ...
 <!ENTITY ha128 "&ha127; &ha127;">
 ]>
 <root>&ha128;</root>

supposedly this is called a billion laughs DoS attack.

does anyone know how it works?

+1  A: 

It writes "Ha !" 2128 times.

zneak  2010-08-10 16:30:26
how does it do that?
I__  2010-08-10 16:33:00
@zneak: how does it do that?
I__  2010-08-10 16:36:21
@I__: The entity `` expands to two entities ``, which in turn expand to four ``, which in turn expand to eight ``, ... until it expands to thousands of millions of billions of ``, which resolves to `Ha !`.
zneak  2010-08-10 16:36:36
can you show me a tutorial that explains how that works?
I__  2010-08-10 16:39:44
so how do people protect themselves against that? you mean if you put that into an html file and have someone open it, it will crash their computer or what?
I__  2010-08-10 16:40:16
@zneak: ahahhaahhahaha
I__  2010-08-10 16:40:59
Nitpick: It would write "Ha !" 2^127 times, the string would have a theoretical total length of 2^129 characters.
0xA3  2010-08-10 16:43:29
@I__: I dunno. I don't want to try. Opening something like that will most certainly hang the program, and probably the whole computer, before the kernel decides there's really really no more memory available, and kills it.
zneak  2010-08-10 16:43:55
are you chicken?
I__  2010-08-10 21:09:13
+7  A: 

One of the XML bombs - http://msdn.microsoft.com/en-us/magazine/ee335713.aspx

An attacker can now take advantage of these three properties of XML (substitution entities, nested entities, and inline DTDs) to craft a malicious XML bomb. The attacker writes an XML document with nested entities just like the previous example, but instead of nesting just one level deep, he nests his entities many levels deep...

There is also code to protect from these "bombs" (in .NET world):

XmlReaderSettings settings = new XmlReaderSettings();
settings.ProhibitDtd = false;
settings.MaxCharactersFromEntities = 1024;
XmlReader reader = XmlReader.Create(stream, settings);
Andrei Taptunov  2010-08-10 16:45:37
+5  A: 

<!ENTITY ha "Ha !"> defines an entity, &ha; that expands to "Ha !". The next line defines another entity, &ha2; that expands to "&ha; &ha;" and eventually, "Ha ! Ha !".

&ha3; turns into Ha ! Ha ! Ha ! Ha !, and so on, doubling the number each time. If you follow the pattern, &haN; is "Ha !", 2N-1 times, so &ha128, expands to 2127 "Ha !"s, which is too big for any computer to handle.

Matthew Crumley  2010-08-10 16:45:41
Oops, I guess I divided by two instead of subtracting one.
Matthew Crumley  2010-08-10 18:51:03

related questions

Load an XmlNodeList into an XmlDocument without looping?
Does System.Xml use MSXML?
Using an XML catalog with Python's lxml?
Why Are People Still Creating RSS Feeds?
Pretty printing XML files on Emacs
Application configuration files
What is the best XML editor?
How much extra overhead is generated when sending a file over a web service as a byte array?
XPATHS and Default Namespaces
How to parse XML in VBA
Small modification to an XML document using StAX
how to use xpath in python
Best binary XML format for JavaME
How can I split an XML document into thirds (or, even better, n pieces)?
Test serialization encoding
Is it "bad practice" to be sensitive to linebreaks in XML documents?
HTML comments break down
Authoritative source on XML-sig
Best way to get InnerXml of an XElement?
HTML version choice
SQL 2005 For XML Explicit - Need help formatting
Any experiences with Protocol Buffers?
XML Editing/Viewing Software
XML Processing in Python
Converting CSV File to XML in Java