Mittwoch, 16. März 2016

XML Parser Evaluation


XML Parser Evaluation

For some time now, we've been researching in excruciating detail the prevalence of DTD attacks on different XML parsers.

For a quick recap which attacks are possible, see our DTD Cheat Sheet post.


In this post, we present you the results in a nutshell.
The information presented here is based on this masterthesis which covers the respective results in greater detail.

Test Methodology


We identified 16 test vectors, each testing a specific attack vector (e.g. XXE, various kinds of DoS, XXE parameter entity,...). We ran these tests against the default parser configuration and call these therefore core tests.

Additional tests are based on the same test vectors, however, we executed them against custom (modified) parser configurations, indicating the effect of specific features of a parser.

The complete test set is available on github.

Results

We analyzed the following parsers and summarized the test results in Table 1. In addition, we show which attacks cannot be mitigated indicated by an asterisk.





Countermeasures

To keep this post short we only provide keywords for available countermeasures.
More information on how to apply a specific countermeasure is available in the corresponding test files available on github.
A description of a specific countermeasure is available in the masterthesis.
Just navigate to the corresponding section (e.g. Ruby -> REXML) and follow the instructions from there on to get the information you are interested in.

Ruby

REXML

  • DoS attacks (A built-in threshold limits the size to 100 MB) - Set the features entity_expansion_limit or entity_expansion_text_limit 

Nokogiri

  • DoS attacks No Countermeasures

Python

minidom

  • DoS attacks - No Countermeasures

etree

  • DoS attacks - No Countermeasures

lxml

  • DoS attacks - Set the feature resolve_entities = false
  • XXE attacks - Set the feature resolve_entities = false

xml.sax/pulldom

  • DoS/XXE/URL Invocation - No Countermeasures
  • Quirks: Parameter Entities are not processed within EntityValue

defusedxml.*

  • No attacks possible

.NET


XmlReader

  • No attacks possible

    XmlDocument

    • DoS attacks (a built-in threshold limits the size to 10 MB) - Apply an XmlReader
    • XXE/XXEP/URL Invocation - Apply an XmlReader


    PHP

    XMLReader

    • No attacks possible
    • Quirks: parser features != libxml2 features

    SimpleXML

    • DoS attacks - No Countermeasures

    DOMDocument

    • DoS attacks - No Countermeasures

    Perl

    XML::Twig

    • DoS/XXE attacks - Set the feature NoExpand
    • Quirks: Effectiveness of features depends on case-sensitivity and context

    XML::LibXml

    • DoS attacks - No countermeasures available
    • Vulnerable to XXE/XXEP/URL Invocation - Set the feature load_ext_dtd = false

    Java

    Crimson

    • DoS attacks - Apply a DeclHandler
    • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
    • URL Invocation attacks - Apply an EntityResolver
    • Quirks: The features external-general-entities and external-parameter-entities cannot be set. (always true)

    Piccolo

    • DoS attacks - Apply a DeclHandler
    • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
    • Quirks: The state of the feature external-parameter-entities is reported incorrectly.

    Xerces SAX/DOM

    • DoS attacks - Apply a DeclHandler
    • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
    • Information: use the feature disallow-doctype-decl = false as a countermeasure for all attacks.

    Oracle SAX/DOM

    • DoS attacks - Apply a DeclHandler
    • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
    • Quirks: The features external-general-entities and external-parameter-entities are not supported.


    Authors of this Post

    Christopher Späth 
    Christian Mainka (@CheariX)
    Vladislav Mladenov