Question
Is there a way to use a schema (preferably XSD) to let validation of an XML document fail, if there are <!ELEMENT ...> and similar declarations contained?
Or would the XML parser still be vulnerable and eventually crash?
http://resources.infosecinstitute.com/xml-vulnerabilities/
Example: Billion laughes
https://stackoverflow.com/questions/23296500
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
&lol9; is parsed and expanded to 10x &lol8; and so on, ending up with creating 1,000,000,000 lol entities and probably make the XML parser run out of memory.
Can any of the listed vulnerabilities be exploited in MSXML 6.0?
Solution
No, XSD constrains the infoset of the parsed XML document; any DTD processing is logically prior to XSD validation, and XSD has no way to require, allow, or forbid the presence or absence of a DTD.
I believe some XML parsers have invocation options to bound their resource usage; even if the parser doesn't have that option, the operating system normally does.
