[Expat-discuss] Handling malicious XML with Expat - what options do I have?
Nick MacDonald
nickmacd at gmail.com
Fri Sep 12 13:48:04 CEST 2008
Sebastian:
DoS prevention is virtually impossible to do perfectly... you'll end
up spending all your time on the effort and never get meaningful work
done... so you have to find the reasonable trade off's that make
things fairly secure but still leave your system usable. In this
vain, sanitizing your input is probably the best bang for your buck...
backed up by some "over limit" detection in your code.
I haven't spent any time on this particular topic, and although I have
heard of the "million laughs" attack, I am not well versed in XML
attacks... but the obvious answer to me is to employ some sort of XML
sanity checking logic as a pre-parsing step. You will never be
invulnerable to all attacks, from the simple fact that a lot of
attacks are difficult to think of in advance, but if your problem
domain is simple enough (or can be made to be simple enough by
applying some limiting assumptions) then you should be able to build a
pre-parser that will fit the bill.
If, for example, you were worried about a file taking too much memory,
or too much time to process, just build in some simple logic into the
parse that kicks out an error if too much memory gets used, or too
much time elapses. (You'd want to build in a manual override in case
of exceptional cases though.)
The biggest problem is probably some of the features that can be
legally used in an XML file leading to unintended problems, but I
think you can turn off the utilization of those kind of features in
eXpat and then you'd hopefully be able to detect them with your own
code, and then flag the suspect input.
The real question you have to consider, is where is the threat going
to be coming from? An insider (inside job), from the outside world
(the Internet?) or from bad output from another program/step (that
might be more vulnerable that your part.) The amount of effort going
into countermeasures, and the amount of human involvement when
something goes wrong, is dictated by who's causing the problem.
Nick
On Thu, Sep 11, 2008 at 3:33 PM, Sebastian Pipping
<webmaster at hartwork.org> wrote:
> What can I do to make an application using Expat
> resilient to malicious XML? Explosion of neither
> time nor space are acceptable in my case.
>
> Has anyone built a working solution before?
> I'd be happy to hear about your experience.
More information about the Expat-discuss
mailing list