Page 132 - Hands-On Bug Hunting for Penetration Testers
P. 132
Detecting XML External Entities Chapter 7
XXE can also be used to conduct DoS attacks through an XML variant of a popular logic
bomb tactic called a Billion Laughs. A DoS attack that occurs via a logic bombba piece of
code that when executed causes the host to max out its resource consumptionbis a bit
different from a DoS attack caused by one or more outside agents (if there is more than one
outside agent, then it would be a DDoS attack). A DoS attack is usually considered easier to
mitigate because there's only one source for the attackbnetwork administrators don't have
to play whack-a-mole with multiple sources of malicious traffic. But a DoS attack coming
from a single source also means that an attacker only needs access to that vulnerable input,
as opposed to a swarm of machines generating traffic as part of a botnet.
Here's an example of the a billion laughs XML snippet from Wikipedia's page on the attack:
YNM WFSTJPO
%0$5:1& MPM[ <
&/5*5: MPM MPM
&-&.&/5 MPM[ 1$%"5"
&/5*5: MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
&/5*5: MPM
MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
&/5*5: MPM
MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
&/5*5: MPM
MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
&/5*5: MPM
MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
&/5*5: MPM
MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
&/5*5: MPM
MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
&/5*5: MPM
MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
&/5*5: MPM
MPM MPM MPM MPM MPM MPM MPM MPM MPM MPM
>
MPM[ MPM MPM[
You can see that there's only one root element, MPM[ MPM MPM[ . When the text of
that element, MPM , is expanded (since it's a defined entity), the parser looks and sees the
entity MPM and tries to expand it too, which leads it to MPM , then MPM , and on
and on through the entity list d it's turtles and memory usage all the way down.
The result is that after all the entity expansions have been processed, this small, less-than-1
KB snippet, will create 10 to the 9th power MPMT, totaling over 3 GB of memory usage.
[ 117 ]
