VP Innovation at Axway, Co-founder at Vordel

Mark O'Neill

Subscribe to Mark O'Neill: eMailAlertsEmail Alerts
Get Mark O'Neill via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Return of the XML Bomb

The XML Bomb is an attack which has a long history, which I've documented back in 2009. Today in 2015 it continues to be a cause of concern. As with many security vulnerabilities, perhaps the evocative name helps. I'm happy to say that our API Gateway blocks the attack, and has done for many years.

So how the XML Bomb work? It's a clever attack and well worth examining:

Older types of APIs use XML, which can be defined using a Document Type Declaration (DTD). DTDs are an old technology now (actually originating in SGML) and largely superseded but newer technologies (XML Schema, JSON Schema).

The issue is that DTD implementations can be vulnerable to recursion attacks. The SOAP specification states “A SOAP message MUST NOT contain a Document Type Declaration” (http://www.w3.org/TR/SOAP/ Section 3). However, some XML applications process DTDs, and therefore products which protect XML applications must block DTDs.
The following DTD contains a recursively defined entity “&x100;” that would be expanded into the huge amount (2^100) repetitions of the string “hello” by any XML 1.0 standard compliant parser. This would cause excessive memory usage and/or excessive CPU usage:

<!DOCTYPE foobar [
<!ENTITY x0 “hello”>
<!ENTITY x1 “&x0;&x0;”>
<!ENTITY x2 “&x1;&x1;”>
<!ENTITY x3 “&x2;&x2;”>
<!ENTITY x4 “&x3;&x3;”>
<!ENTITY x98 “&x97;&x97;”>
<!ENTITY x99 “&x98;&x98;”>
<!ENTITY x100 “&x99;&x99;”>

It's important to ensure that your APIs are not vulnerable to this attack. An API Gateway is a great way to achieve this.

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.