[jdev] Security-related thought experiment
melo at co.sapo.pt
Sat Mar 25 10:55:30 CST 2006
On Mar 25, 2006, at 6:32 AM, Robert B Quattlebaum, Jr. wrote:
> I was thinking the other day about a specific type of denial-of-
> service attack which may possibly affect a number of servers in
> active use today.
> Imagine a c2s connection that has already been set up and is now
> moving top-level stanzas. What would happen if I sent
> <message to="randomjid at jabber.org"><body>
> Followed by a stream of random UTF-8 characters? Assuming that
> those random characters do not happen to contain <, >, or &, (which
> is pretty easy to ensure), I would imagine that the process which
> has the XML parser would get larger and larger until the process
> would run out of memory. Boom.
> This attack (in spirit) doesn't require a fully established jabber
> stream, it only needs an opportunity to inject a large amount of
> data into an XML element that is inside of a top-level stanza. This
> attack could possibly work for attributes as well.
> Limiting the size of a single stanza may or may not fix the
> problem, depending on implementation. If the stanza size filter is
> applied to the stanza after it has been parsed, then this isn't
> good enough--the attack will still be successful because the stanza
> will never finish parsing. However, if the parser kept track of how
> large the stanza was getting as it was parsing it, then this attack
> can be avoided.
> Any thoughts, or other methods of preventing this attack from being
> successful? Or has this already been considered and "fixed"?
open a tcp connection to an jabber server, and send a
<streeeeeeeeeam> stanza, making sure you use a lot of 'e's.
Unless your XML parser has DoS detection and prevention, like over-x-
bytes node names, attributes, value and data, you are vulnerable to
HIId: Pedro Melo
SMTP: melo at co.sapo.pt
XMPP: pedro.melo at sapo.pt
More information about the JDev