Home. 
Search
.

transparent
transparent
transparent
  Library.Mailing List Archive

Altova Mailing List Archives


Re: [xml-dev] XML processor attacks

From: Tei <oscar.vives@-----.--->
To: xml-dev@-----.---.---
Date: 2/1/2007 10:27:00 AM
What about circular references?

A include B,
B include C,
C include A.

Is that posible?


On 1/31/07, Richard Salz <rsalz@u...> wrote:
> It's pretty easy to cause a denial of service with short messages such as
> a million elements deep:
>         <x><x><x><x><x><x>....</x></x>
> Or badly fragmented:
>   <x><y>.</y><y>.</y>....</x>
> Maximum element, attribute or namespace prefix name
>   <xxx...  xxx...='...' xmlns:xxx...='...'
> Excessively long attribute or namespace values (the '...' above)
> Excessive attributes or namespace declarations
>  <x a1='.' a2='.' a3='.' ...
>
> Schema validation won't save you as long as there's an xs:any extension
> point in the schema.
>
> The key point here is that these attacks are asymmetric -- it's trivial to
> generate these with print statements, but the recipient has to expend a
> lot of horsepower.
>
>         /r$
>
> --
> STSM
> Senior Security Architect
> DataPower SOA Appliances
>


transparent
Print
Mail
Like It
Disclaimer
.

These Archives are provided for informational purposes only and have been generated directly from the Altova mailing list archive system and are comprised of the lists set forth on www.altova.com/list/index.html. Therefore, Altova does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content on the Altova Mailing List Archive(s), regardless of who originates that content. You expressly understand and agree that you bear all risks associated with using or relying on that content. Altova will not be liable or responsible in any way for any content posted including, but not limited to, any errors or omissions in content, or for any losses or damage of any kind incurred as a result of the use of or reliance on any content. This disclaimer and limitation on liability is in addition to the disclaimers and limitations contained in the Website Terms of Use and elsewhere on the site.

.
.

transparent
transparent
 
Company | Legal | Press | Partners | Careers | Sitemap | Contact Us | Altova Blog | Mobile | Full Site
 
Use of this site is governed by our Terms & Conditions and Privacy Policy Copyright 2005-2012 Altova. All Rights Reserved.
transparentGSA