XML validate against recursive and oversized payload

StackOverflow https://stackoverflow.com/questions/18542135

  •  26-06-2022
  •  | 
  •  

Question

The OWASP site published a list of steps for how to secure a RESTful service. One point is the XML DoS protection. Now I'm unsure about the following two.

  1. Validation against recursive payloads
  2. Validation against oversized payloads

According to the first point, is it validated if I apply a xs:sequence in my XSD schema like:

<xs:complexType name="addressType">
    <xs:sequence>
        <xs:element name="city" type="addressCity" />
        <xs:element name="number" type="addressNumber" />
        <xs:element name="street" type="addressStreet" />
        <xs:element name="zipCode" type="zipCodeMoreThan4Digits" />
    </xs:sequence>
    <xs:attribute name="id" type="unsignedInteger" use="required">
    </xs:attribute>
</xs:complexType>

And now the second point. Is it sufficient if I apply a RegEx like this:

<xs:simpleType name="addressCity">
    <xs:restriction base="xs:string">
        <xs:pattern value="[a-zA-ZöäüÖÄÜß -]{2,32}" />
    </xs:restriction>
</xs:simpleType>
Was it helpful?

Solution

Validation against recursive payloads:

The XMLs can be nested, infinit times. An XML with deeply nested tags can be still well-formed, so a parser will accept it. If your parser is a DOM parser (which is pretty likely) it will try to build up the whole tree in memory. If the XML your web service receives is deeply nested, your server will eat up all its memory and crash before it could realize that the xml message is invalid -> DoS is successful. The solution here is to try to validate the XML message before it is transferred to the web service server. You can achieve this with an application layer gateway which validates the XML messages to an XSD schema. That schema should only allow the depth of nesting which is needed. You need to do this validation without building up a DOM tree, otherwise you will end up with the same problem.

Validation against oversized payloads:

Here we have a similar attack type. The size of XML affects the memory consumption of the DOM parser. You can make the XML bigger if you put many elements inside a sequence, or simply make one element's text too long.

<?xml version=”1.0” encoding=”UTF-8”?> xmlsoap.org/soap/envelope/”> 
<soap:Envelope xmlns:soap=”http://schemas. xmlsoap.org/soap/envelope/”> 
  <soap:Body> 
    <oversize> 
      <item1>x</item1>
      <item1>x</item1>
      <item1>x</item1>
      <!-- The element <item1> may continue on, until the SOAP message reaches a size of megabytes or even gigabytes --> 
    </oversize> 
  </soap:Body> 
</soap:Envelope>

OR

<?xml version=”1.0” encoding=”UTF-8”?> xmlsoap.org/soap/envelope/”> 
<soap:Envelope xmlns:soap=”http://schemas. xmlsoap.org/soap/envelope/”> 
   <soap:Header> 
    <!-- Arbitrary function call -->
  </soap:Header>

  <soap:oversize> 
    <item1>x</item1>
    <item1>x</item1>
    <item1>x</item1>
    <!-- The element <item1> may continue on, until the SOAP message reaches a size of megabytes or even gigabytes --> 
  </soap:oversize> 

  <soap:Body> 
     <!-- Arbitrary function call -->
  </soap:Body> 
</soap:Envelope>

Here the solution is to use eg. maxOccurs="1000" instead of maxOccurs="unbounded" in sequence elements and to limit the length of texts inside tags. Check this out: http://clawslab.nds.rub.de/wiki/index.php/Oversize_payload_attack

Hope this helps!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top