• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


XML Attribute Blowup

Page history last edited by Robert Auger 14 years, 4 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-41


XML Attribute Blowup

XML Attribute Blowup is a denial of service attack against XML parsers. The attacker provides a malicious XML document, which vulnerable XML parsers process in a very inefficient manner, leading to excessive CPU load. The essence of the attack is to include many attributes in the same XML node. Vulnerable XML parsers manage the attributes in an inefficient manner (e.g. in a data container for which insertion of a new attribute has O(n) runtime), resulting in a non-linear (in this example, quadratic, i.e. O(n2)) overall runtime, leading to a denial of service condition via CPU exhaustion.



<?xml version="1.0"?>


In this example, there are 10,000 attributes in the foo node, thus a vulnerable XML parser would perform around 50,000,000 "basic operations" (the sum of work in all 10,000 insertions, i.e. the sum of the numbers 1-10,000). If each such operation takes 100 nanoseconds to complete, the overall processing time for this XML document would be 5 seconds. The size of the XML document is around 90KB. A more sustainable DoS can be achieved with 100,000 attributes, in which case there will be around 5,000,000,000 "basic operations" (sum of 1-100,000), taking 500 seconds. The size of the XML document in this case will be 1MB. In both cases, it's possible to reduce the size of the XML document by using the full range (uppercase letters, lowercase letters, digits, etc.) of the possible XML attribute name. That is, instead of using attribute names consisting of a leading letter ("a" in the above examples) and digits, an attacker can use attribute name using a combination of lowercase letters, uppercase letters and digits such as "aaa", "aaA" and "az9". By doing so, it's possible to generate 100,000 different attribute names using only 3 characters (instead of attribute name of 6 characters, as in the above example) - this reduces the XML document size from 1MB to about 700KB.


This issue can be solved either by limiting the amount of attributes per XML element (or more coarsely, limiting the total size of the XML document), or by using a more efficient data container, e.g. (assuming C++) the STL map container [4].



Amit Klein: IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS

[1] http://www.securityfocus.com/archive/1/378179


Amit Klein: Multiple Vendor SOAP server (XML parser) attribute blowup DoS

[2] http://www.securityfocus.com/archive/1/346973


Amit Klein: Xerces-C++ 2.5.0: Attribute blowup denial-of-service

[3] http://www.securityfocus.com/archive/1/377344


Wikipedia entry 'map (C++ container)'

[4] http://en.wikipedia.org/wiki/Map_(C%2B%2B_container


See also 'Denial of Service'

[5] https://projects.webappsec.org/Denial-Of-Service

Comments (0)

You don't have permission to comment on this page.