SlideShare a Scribd company logo

Xml attribute blowup

Download as PPTX, PDF
Jitendra Oza
Jitendra Oza

XML attribute blowup is a denial of service attack against XML parsers. The attack provides a malicious XML document with many attributes in a single node. Vulnerable XML parsers process these attributes inefficiently, consuming excessive CPU and resulting in a denial of service through resource exhaustion. To prevent this, perimeter technologies should validate incoming XML and enforce limits on the number of attributes per element.

Engineering
1 of 10
XML attribute blowup Jitendra oza
XML  XML stand for eXtensible Markup Language  XML is mark up language like HTML  XML was design to store and transport data  XML tags are not predefined, you have to define you own tags  XML design is self descriptive  XML is W3C recommendation
XML structure <?xml version=“1.0” encoding=“UTF-8” ?> <note> <To> Dikshant </To> <From> Jeet </From> <Message> Hey Buddy! </Message> </note>
XML attribute  XML elements can have attributes, just like HTML.  Attributes are designed to contain data related to a specific element.  Attributed must be quoted with ‘ ’ or “ ”  Example:  <person gender=“Male”>
XML Attribute Blowup  XML Attribute Blowup is a denial of service attack against XML parsers  The attacker provides a malicious XML documents, which vulnerable XML parsers process in a very inefficient manner, leading to excessive CPU load.  The essence of the attack is to include many attributes in the same XML node.  Vulnerable XML parsers manage the attributes in an inefficient manner, resulting in a non-linear overall run time, leading to a denial of service condition via CPU exhaustion.
XML Attribute Blow Up  Example: <?xml version=“1.0”?> <foo A1=“” A2=“” .. .. A1000=“” />
Perimeter Solution  Perimeter technologies should perform strict schema validation against all incoming XML documents.  The validation process should enforce the following configurable limits on XML object definition :  The maximum array size  The maximum number of elements  The maximum number of attributes per element  The maximum size of entity definition  The maximum number of references to entity definitions
Reference  http://www.w3schools.com/xml/default.asp  http://projects.webappsec.org/w/page/13247001/XML%20Attribute%20Blowu p  https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities _-_SOAP_Array_Abuse,_XML_Attribute_Blowup,_XML_Entity_Expansion
Thank You

Recommended

Web programming and services
Web programming and servicesWeb programming and services
Web programming and services
laibamaqsood
 
Reactjs workshop
Reactjs workshopReactjs workshop
Reactjs workshop
Pankaj Bhageria
 
WEB TECHNOLOGIES XML
WEB TECHNOLOGIES XMLWEB TECHNOLOGIES XML
WEB TECHNOLOGIES XML
Jyothishmathi Institute of Technology and Science Karimnagar
 
Week1 xml
Week1 xmlWeek1 xml
Week1 xml
hapy
 
PHP XML
PHP XMLPHP XML
PHP XML
YellGhost
 
Rendering XML Document
Rendering XML DocumentRendering XML Document
Rendering XML Document
Dudy Ali
 
XML
XMLXML
XML
Mukesh Tekwani
 
Xml data transformation
Xml data transformationXml data transformation
Xml data transformation
Raghu nath
 

Recommended

Web programming and services
Web programming and servicesWeb programming and services
Web programming and services
laibamaqsood
 
Reactjs workshop
Reactjs workshopReactjs workshop
Reactjs workshop
Pankaj Bhageria
 
WEB TECHNOLOGIES XML
WEB TECHNOLOGIES XMLWEB TECHNOLOGIES XML
WEB TECHNOLOGIES XML
Jyothishmathi Institute of Technology and Science Karimnagar
 
Week1 xml
Week1 xmlWeek1 xml
Week1 xml
hapy
 
PHP XML
PHP XMLPHP XML
PHP XML
YellGhost
 
Rendering XML Document
Rendering XML DocumentRendering XML Document
Rendering XML Document
Dudy Ali
 
XML
XMLXML
XML
Mukesh Tekwani
 
Xml data transformation
Xml data transformationXml data transformation
Xml data transformation
Raghu nath
 
Xml theory 2005_[ngohaianh.info]_1_introduction-to-xml
Xml theory 2005_[ngohaianh.info]_1_introduction-to-xmlXml theory 2005_[ngohaianh.info]_1_introduction-to-xml
Xml theory 2005_[ngohaianh.info]_1_introduction-to-xml
Ông Thông
 
Xhtml
XhtmlXhtml
Xhtml
Samir Sabry
 
Xml basics for beginning
Xml basics for beginningXml basics for beginning
Xml basics for beginning
Ahmad Awsaf-uz-zaman
 
Basics of XML
Basics of XMLBasics of XML
Basics of XML
indiangarg
 
E-publishing
E-publishingE-publishing
E-publishing
Ganesh Koli
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XML
Fazli Kabashi
 
Xml and xml processor
Xml and xml processorXml and xml processor
Xml and xml processor
Himanshu Soni
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XML
shannonsdavis
 
Xml
XmlXml
Xml
Santosh Pandey
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XML
Kumar
 
Xml
XmlXml
Xml
baabtra.com - No. 1 supplier of quality freshers
 
XML and Localization
XML and LocalizationXML and Localization
XML and Localization
Yamagata Europe
 
DSL in test automation
DSL in test automationDSL in test automation
DSL in test automation
test test
 
Images and Lists in HTML
Images and Lists in HTMLImages and Lists in HTML
Images and Lists in HTML
Marlon Jamera
 
Tutorial on html
Tutorial on htmlTutorial on html
Tutorial on html
Beauty Mthembu
 
Lesson 2 Starting with the basics
Lesson 2 Starting with the basicsLesson 2 Starting with the basics
Lesson 2 Starting with the basics
ChristopherEsteban2
 
Markup Languages
Markup Languages Markup Languages
Markup Languages
Senthil Kanth
 
Html css best_practices
Html css best_practicesHtml css best_practices
Html css best_practices
mokshastudio
 
A short introduction on mule expression language
A short introduction on mule expression languageA short introduction on mule expression language
A short introduction on mule expression language
Swapnil Sahu
 
Internal DSLs For Automated Functional Testing
Internal DSLs For Automated Functional TestingInternal DSLs For Automated Functional Testing
Internal DSLs For Automated Functional Testing
John Sonmez
 
XML
XMLXML
XML
Mukesh Tekwani
 
Xml intro1
Xml intro1Xml intro1
Xml intro1
Alfonso Gabriel López Ceballos
 

More Related Content

What's hot

DSL in test automation
DSL in test automationDSL in test automation
DSL in test automation
test test
 
Html css best_practices
Html css best_practicesHtml css best_practices
Html css best_practices
mokshastudio
 

What's hot (20)

Xml theory 2005_[ngohaianh.info]_1_introduction-to-xml
Xml theory 2005_[ngohaianh.info]_1_introduction-to-xmlXml theory 2005_[ngohaianh.info]_1_introduction-to-xml
Xml theory 2005_[ngohaianh.info]_1_introduction-to-xml
 
Xhtml
XhtmlXhtml
Xhtml
 
Xml basics for beginning
Xml basics for beginningXml basics for beginning
Xml basics for beginning
 
Basics of XML
Basics of XMLBasics of XML
Basics of XML
 
E-publishing
E-publishingE-publishing
E-publishing
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XML
 
Xml and xml processor
Xml and xml processorXml and xml processor
Xml and xml processor
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XML
 
Xml
XmlXml
Xml
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XML
 
Xml
XmlXml
Xml
 
XML and Localization
XML and LocalizationXML and Localization
XML and Localization
 
DSL in test automation
DSL in test automationDSL in test automation
DSL in test automation
 
Images and Lists in HTML
Images and Lists in HTMLImages and Lists in HTML
Images and Lists in HTML
 
Tutorial on html
Tutorial on htmlTutorial on html
Tutorial on html
 
Lesson 2 Starting with the basics
Lesson 2 Starting with the basicsLesson 2 Starting with the basics
Lesson 2 Starting with the basics
 
Markup Languages
Markup Languages Markup Languages
Markup Languages
 
Html css best_practices
Html css best_practicesHtml css best_practices
Html css best_practices
 
A short introduction on mule expression language
A short introduction on mule expression languageA short introduction on mule expression language
A short introduction on mule expression language
 
Internal DSLs For Automated Functional Testing
Internal DSLs For Automated Functional TestingInternal DSLs For Automated Functional Testing
Internal DSLs For Automated Functional Testing
 

Similar to Xml attribute blowup

chapter 4 web authoring unit 4 xml.pptx
chapter 4 web authoring unit 4 xml.pptxchapter 4 web authoring unit 4 xml.pptx
chapter 4 web authoring unit 4 xml.pptx
amare63
 
XML Presentation-2
XML Presentation-2XML Presentation-2
XML Presentation-2
Sudharsan S
 
Introduction to xml
Introduction to xmlIntroduction to xml
Introduction to xml
soumya
 

Similar to Xml attribute blowup (20)

XML
XMLXML
XML
 
Xml intro1
Xml intro1Xml intro1
Xml intro1
 
eXtensible Markup Language (By Dr.Hatem Mohamed)
eXtensible Markup Language (By Dr.Hatem Mohamed)eXtensible Markup Language (By Dr.Hatem Mohamed)
eXtensible Markup Language (By Dr.Hatem Mohamed)
 
Unit 2.2
Unit 2.2Unit 2.2
Unit 2.2
 
XML simple Introduction
XML simple IntroductionXML simple Introduction
XML simple Introduction
 
Unit 2.2
Unit 2.2Unit 2.2
Unit 2.2
 
Introduction to xml
Introduction to xmlIntroduction to xml
Introduction to xml
 
uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2
 
XML - Extensible Markup Language for Network Security.pptx
XML - Extensible Markup Language for Network Security.pptxXML - Extensible Markup Language for Network Security.pptx
XML - Extensible Markup Language for Network Security.pptx
 
Xml tutorial
Xml tutorialXml tutorial
Xml tutorial
 
Xml
XmlXml
Xml
 
chapter 4 web authoring unit 4 xml.pptx
chapter 4 web authoring unit 4 xml.pptxchapter 4 web authoring unit 4 xml.pptx
chapter 4 web authoring unit 4 xml.pptx
 
XML Presentation-2
XML Presentation-2XML Presentation-2
XML Presentation-2
 
Xml
XmlXml
Xml
 
paper about xml
paper about xmlpaper about xml
paper about xml
 
Xml iet 2015
Xml iet 2015Xml iet 2015
Xml iet 2015
 
Introduction to xml
Introduction to xmlIntroduction to xml
Introduction to xml
 
Xml 150323102007-conversion-gate01
Xml 150323102007-conversion-gate01Xml 150323102007-conversion-gate01
Xml 150323102007-conversion-gate01
 
Xml programming language myassignmenthelp.net
Xml programming language myassignmenthelp.netXml programming language myassignmenthelp.net
Xml programming language myassignmenthelp.net
 
Wp unit III
Wp unit IIIWp unit III
Wp unit III
 

Recently uploaded

DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
MayuraD1
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
AldoGarca30
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 
Wadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxWadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptx
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 

Xml attribute blowup

  • 2. XML  XML stand for eXtensible Markup Language  XML is mark up language like HTML  XML was design to store and transport data  XML tags are not predefined, you have to define you own tags  XML design is self descriptive  XML is W3C recommendation
  • 3. XML structure <?xml version=“1.0” encoding=“UTF-8” ?> <note> <To> Dikshant </To> <From> Jeet </From> <Message> Hey Buddy! </Message> </note>
  • 4.
  • 5. XML attribute  XML elements can have attributes, just like HTML.  Attributes are designed to contain data related to a specific element.  Attributed must be quoted with ‘ ’ or “ ”  Example:  <person gender=“Male”>
  • 6. XML Attribute Blowup  XML Attribute Blowup is a denial of service attack against XML parsers  The attacker provides a malicious XML documents, which vulnerable XML parsers process in a very inefficient manner, leading to excessive CPU load.  The essence of the attack is to include many attributes in the same XML node.  Vulnerable XML parsers manage the attributes in an inefficient manner, resulting in a non-linear overall run time, leading to a denial of service condition via CPU exhaustion.
  • 7. XML Attribute Blow Up  Example: <?xml version=“1.0”?> <foo A1=“” A2=“” .. .. A1000=“” />
  • 8. Perimeter Solution  Perimeter technologies should perform strict schema validation against all incoming XML documents.  The validation process should enforce the following configurable limits on XML object definition :  The maximum array size  The maximum number of elements  The maximum number of attributes per element  The maximum size of entity definition  The maximum number of references to entity definitions
  • 9. Reference  http://www.w3schools.com/xml/default.asp  http://projects.webappsec.org/w/page/13247001/XML%20Attribute%20Blowu p  https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities _-_SOAP_Array_Abuse,_XML_Attribute_Blowup,_XML_Entity_Expansion