XML Bomb Vulnerability - v0.2

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 4

1.1.

1 XML Bomb Vulnerability

1.1.1.1 Description

CWE Categories:

 CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML


Entity Expansion')

The software uses XML documents and allows their structure to be


defined with a Document Type Definition (DTD), but it does not properly
control the number of recursive definitions of entities.

The Application_Name application might be vulnerable to XML entity expansion


attacks. An XML can be displayed like an HTML file or processed as data by a
program. XML entity expansion vulnerabilities (or XML Bomb) arise because the
XML specification allows XML documents to define entities that reference other
entities defined within the document. If this is done recursively to a significant depth,
then the XML parser will consume exponentially increasing amounts of memory and
processor resources as each level of recursion is processed. This might result in a
denial-of-service condition, causing the entire application to stop functioning.

Pen-tester found this finding during external black-box penetration test in the
production environment. Affected URL:

 https://www.clien-url.com/b/PBHI (Production environment)

In the screenshot below pen-testers injected the following XML tag into the
application:

<!DOCTYPE foo [<!ENTITY xeee9b930 "0848f"><!ENTITY xeee9b931


"&xeee9b930;&xeee9b930;"><!ENTITY xeee9b932 "&xeee9b931;&xeee9b931;"><!ENTITY
xeee9b933 "&xeee9b932;&xeee9b932;">]>

This tag creates a series of entities, each of which is recursively defined using the
value of the preceding entity. The final entity was then used within a data field in the
XML document.
The server's response contains the recursively expanded value of this entity:

1.1.1.2 Threats and risks

Risk: HIGH (Impact: Major, Likelihood: Possible)

XML bomb is a small but dangerous message that is composed and sent with the
intent of overwhelming the program that parses XML files. When the XML parser
tries to process an XML bomb, the data feeds on itself and grows exponentially. This
can shut down a Web site or ISP (Internet service provider) and is one of many
methods used by hackers to carry out denial-of-service attacks.

To avoid causing an actual denial-of-service, pen-tester merely verifies that entities


are being recursively expanded to a modest depth. It is possible that reported
applications are not actually vulnerable because they are designed to prevent entity
expansion beyond a given depth.

1.1.1.3 Recommendations

1.1.1.3.1 CORRECTIVE ACTION (QUICK FIX)


The following corrective action is recommended:

a) Disable DOCTYPE

XML entity expansion makes use of the DOCTYPE tag to define the injected
entities. XML parsers can usually be configured to disable support for this tag. It
may also be possible to use input validation to block input containing a
DOCTYPE tag.

If not used, it is recommended to disable DOCTYPE resolution in the XML


library; an upgrade of XML library component usually is needed to fix this
vulnerability.

It is also recommended to disable IS_SUPPORTING_EXTERNAL_ENTITIES


and XMLInputFactory.SUPPORT_DTD properties.

Disabling DTDs also makes the parser secure against denial of services (DOS)
attacks such as Billion Laughs (XML Bomb). If it is not possible to disable DTDs
completely, then external entities and external doctypes must be disabled in the
way that’s specific to each parser.

1.1.1.3.2 PREVENTIVE ACTION (FUNDAMENTAL FIX)

The following preventive action is recommended:

a) Conduct comprehensive application security testing before going live

Before launching of any web-application based product, comprehensive security


assessment shall be performed as part of application testing to ensure
conformance to control specified in Client_Name's security
standards/requirements. Basic testing can be performed using automated tools.
However, automated vulnerability detection technique e.g. using application
security scanners is not fully accurate. Final web-application security testing
shall also be performed by an independent 3rd party security specialist.

1.1.1.4 Effort to remediate

Corrective action effort rating: MEDIUM

Medium effort is required to change the configuration on the production server.

Preventive action effort rating: MEDIUM


Development of security standards and policies will not require significant efforts.

1.1.1.5 Target group

The following teams/personnel will likely be involved in remediation efforts and


should be informed of this finding:

 Application owners,

 Information security team.

1.1.1.6 Reference to standards

Standard and policies related to this finding:

 ISO/IEC 27001:2013:

o A.12.6 Technical vulnerability management: To prevent exploitation of


technical vulnerabilities.

1.1.1.7 References

For more information, refer to the following web pages:

http://cwe.mitre.org/data/definitions/548.html

1.1.1.8 Current status

This finding was reported on 11.04.2016 and is yet to be re-tested.

You might also like