Difference between revisions of "Testing for XML Structural (OWASP-WS-003)"

From OWASP
Jump to: navigation, search
Line 36: Line 36:
  
 
Web Services can also have a binary attachment such as a Blob or exe.
 
Web Services can also have a binary attachment such as a Blob or exe.
In adequate parsing of such an attachment may exhaust resources:
+
Web service attachments are encoded in base64 format since the trend is that DIME (Direct Internet Message Encapsulation) seems to be a dead-end solution.
  
UNEXPECTED LARGE BLOB:
+
By attacking a very large base64 string to the message this may consume parser resources to the point of affecting availability. Additional attacks may include the injection of a infected binary file into the base64 binary stream.
 +
Inadequate parsing of such an attachment may exhaust resources:
 +
 
 +
'''UNEXPECTED LARGE BLOB:'''
 
  <Envelope>
 
  <Envelope>
 
   <Header>
 
   <Header>
 
     <wsse:Security>
 
     <wsse:Security>
       <Attack>jgiGldkooJSSKFM%()LFM$MFKF)$KRFWF$FRFkflfkfkkorepoLPKOMkjiujhy:llki-123-01ke123-
+
       <file>jgiGldkooJSSKFM%()LFM$MFKF)$KRFWF$FRFkflfkfkkorepoLPKOMkjiujhy:llki-123-01ke123-
       04QWS03994k£R$Trfe£elfdk4r-45kgk3lg"£!04040lf;lfFCVr$V$BB^^N&*<M&NNB%...........10MB
+
       04QWS03994k£R$Trfe£elfdk4r-45kgk3lg"£!04040lf;lfFCVr$V$BB^^N&*<M&NNB%...........10MB</file>
 
     <Signature>…</Signature>
 
     <Signature>…</Signature>
 
     </wsse:Security>
 
     </wsse:Security>

Revision as of 02:55, 26 October 2006

XML Structural Attacks.

Attackers can create XML documents which are structured in such a way as to create a denial of service attack on the receiving server by tying up memory and CPU resources. This occurs via overloading the XML parser which is very CPU intensive in any case.

For example, elements which contain large numbers of attributes can cause problems with parsers. This category of attack also includes XML documents which are not well-formed XML (e.g. with overlapping elements,or with open tags that have no matching close tags). DOM based parsing can be vulnerable to DoS due to the fact that the complete message is loaded into memory 9as opposed to SAX parsing) oversized attachments can cause an issue with DOM architectures.

Web Services weakness: You have to parse XML via SAX or DOM before one validates the structure and content of the message.

Examples:

A web service utilising DOM based parsing can be "upset" by including a very large payload in the XML message which the parser would be obliged to parse:

VERY LARGE & UNEXPECTED PAYLOAD:

<Envelope>
<Header>
   <wsse:Security>
     <Hehehe>I am a Large String (1MB)</Hehehe>
     <Hehehe>I am a Large String (1MB)</Hehehe>
     <Hehehe>I am a Large String (1MB)</Hehehe>
     <Hehehe>I am a Large String (1MB)</Hehehe>
     <Hehehe>I am a Large String (1MB)</Hehehe>
     <Hehehe>I am a Large String (1MB)</Hehehe>
     <Hehehe>I am a Large String (1MB)</Hehehe>…
    <Signature>…</Signature>
   </wsse:Security>
 </Header>
 <Body>
   <BuyCopy><ISBN>0098666891726</ISBN></BuyCopy>
 </Body></Envelope>

Binary attachments:

Web Services can also have a binary attachment such as a Blob or exe. Web service attachments are encoded in base64 format since the trend is that DIME (Direct Internet Message Encapsulation) seems to be a dead-end solution.

By attacking a very large base64 string to the message this may consume parser resources to the point of affecting availability. Additional attacks may include the injection of a infected binary file into the base64 binary stream. Inadequate parsing of such an attachment may exhaust resources:

UNEXPECTED LARGE BLOB:

<Envelope>
 <Header>
   <wsse:Security>
     <file>jgiGldkooJSSKFM%()LFM$MFKF)$KRFWF$FRFkflfkfkkorepoLPKOMkjiujhy:llki-123-01ke123-
      04QWS03994k£R$Trfe£elfdk4r-45kgk3lg"£!04040lf;lfFCVr$V$BB^^N&*<M&NNB%...........10MB</file>
    <Signature>…</Signature>
   </wsse:Security>
 </Header>
 <Body>
   <BuyCopy><ISBN>0098666891726</ISBN></BuyCopy>
 </Body>
</Envelope>