+49 228 5552576-0


info@predic8.com

Protection against XML Attacks and DoS

Protect your server against XML-related attacks.

Denial of Service attacks are possible whenever a small request leads to huge resource consumption on the side, either in memory or in CPU time. While in a susceptible application context this cannot completely be prevented without changing the service's implementation, some steps can be taken to thwart some forms of attack.

Protections

Only allow XML Requests

Any non-XML request is discarded (and a "400 Bad Request" response returned), to prevent parsers from accidentally attempting to process it.

Only allow well-formed XML Requests

Since any "almost well-formed" request might be used to exploit bugs in the XML parser, all non-XML or not well-formed requests are discarded.

Remove DTDs from incoming Requests

DTDs (Document Type Definitions) are a valid part in an XML document's prologue. By allowing the definition of entities using other entities, they potentially cause an XML parser to exhaust the available memory (exponential entity expansion).

By allowing the definition of external entities using URIs, an unprotected Web server can potentially leak any internal information it has access to.

Since DTDs have largely been superseeded by XML Schema, they can in most cases simply be removed from any incoming XML request.

Limit Element Name Length and the Number of Attributes per Element

As most XML-handling software dramatically increases its resource usage as element names grow longer or the number of attributes of an element increases, in practice usually both can simply be limited. Requests exceeding one of those limits will be discarded.

Repercussion

Before the XML protection feature of Membrane ESB investigates an incoming request for DTD removal or limit checks, the request has to be read completely into memory. This leads to an increased memory usage.

Usage

Add the xmlProtection interceptor to a proxy configuration, for example as follows:


       
                              
<proxies>
  <serviceProxy>
    <path>/axis2/services/BLZService</path>
    <xmlProtection />
    <target host="thomas-bayer.com" port="80"/>
  </serviceProxy>
</proxies>
Listing 1: Applied XML attack and DoS Protection

For more detailed documentation, see the xmlProtection reference.

Copyright © 2008-2015 predic8 GmbH
Moltkestr. 40, 53173 Bonn, Tel. +49 (228) 555 25 76-0