XML Bomb Vulnerability - v0.2
XML Bomb Vulnerability - v0.2
XML Bomb Vulnerability - v0.2
1.1.1.1 Description
CWE Categories:
Pen-tester found this finding during external black-box penetration test in the
production environment. Affected URL:
In the screenshot below pen-testers injected the following XML tag into the
application:
This tag creates a series of entities, each of which is recursively defined using the
value of the preceding entity. The final entity was then used within a data field in the
XML document.
The server's response contains the recursively expanded value of this entity:
XML bomb is a small but dangerous message that is composed and sent with the
intent of overwhelming the program that parses XML files. When the XML parser
tries to process an XML bomb, the data feeds on itself and grows exponentially. This
can shut down a Web site or ISP (Internet service provider) and is one of many
methods used by hackers to carry out denial-of-service attacks.
1.1.1.3 Recommendations
a) Disable DOCTYPE
XML entity expansion makes use of the DOCTYPE tag to define the injected
entities. XML parsers can usually be configured to disable support for this tag. It
may also be possible to use input validation to block input containing a
DOCTYPE tag.
Disabling DTDs also makes the parser secure against denial of services (DOS)
attacks such as Billion Laughs (XML Bomb). If it is not possible to disable DTDs
completely, then external entities and external doctypes must be disabled in the
way that’s specific to each parser.
Application owners,
ISO/IEC 27001:2013:
1.1.1.7 References
http://cwe.mitre.org/data/definitions/548.html