[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: XML processor attacks
What about circular references? A include B, B include C, C include A. Is that posible? On 1/31/07, Richard Salz <rsalz@u...> wrote: > It's pretty easy to cause a denial of service with short messages such as > a million elements deep: > <x><x><x><x><x><x>....</x></x> > Or badly fragmented: > <x><y>.</y><y>.</y>....</x> > Maximum element, attribute or namespace prefix name > <xxx... xxx...='...' xmlns:xxx...='...' > Excessively long attribute or namespace values (the '...' above) > Excessive attributes or namespace declarations > <x a1='.' a2='.' a3='.' ... > > Schema validation won't save you as long as there's an xs:any extension > point in the schema. > > The key point here is that these attacks are asymmetric -- it's trivial to > generate these with print statements, but the recipient has to expend a > lot of horsepower. > > /r$ > > -- > STSM > Senior Security Architect > DataPower SOA Appliances >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|