[Standards-JIG] Re: [jdev] Security-related thought experiment
Robert B Quattlebaum, Jr.
darco at deepdarc.com
Mon Mar 27 09:48:30 CST 2006
Perhaps, but it needs to be clarified that such a limit must be
implemented in a very specific way. Current implementations of "max
stanza size" will likely not prevent this attack from being
successful because it is imposed after the stanza is parsed. This
attack is targeted at the streaming XML parser.
As long as there is the ability to set a limit then this attack can
Such a limiting mechanism should be implemented at the transport
level, not at the session or presentation layers as currently
implemented in most XMPP servers.
While it would perhaps be a good idea to allow the server
administrator the ability to disable this mechanism, I think that it
should be enabled by default--perhaps set to 100k(an absurdly large
size for a stanza).
All of these recommendations would be enumerated and described in the
proposed best-practice JEP.
On Mar 27, 2006, at 7:22 AM, Vinod Panicker wrote:
> On 3/27/06, Robert B Quattlebaum, Jr. <darco at deepdarc.com> wrote:
>> I personally think this is a rather serious issue, perhaps warranting
>> a "Best-practices" JEP for server developers. As XMPP becomes more
>> and more popular, it is only a matter of time before script-kiddies
>> start causing trouble.
>> What I'm thinking is a JEP which describes the attack and ways to
>> prevent it from being successful. Then it makes it easy for server
>> authors to communicate if their server is hardened against this type
>> of attack: "AcmeJabD 0.3 is JEP-01xx compliant"...
>> Any thoughts? Good idea? Better solution? Am I making this out to be
>> bigger than it actually is?
> It's recommended that internet servers have a limit on the amount of
> data it would accept from a client as a "command". In the case of
> xmpp, the server could enforce it in terms of bytes received on the
> connection. Unfortunately, this would be deployment scenario based -
> since some deployments might require the server to accept a large
> number of bytes in a single stanza (assuming an extension to the
> protocol), while others would be happy with say a 10K limit.
> I think that this should be left to the server administrators to
> configure, but would be a good practice if servers implement this.
Mobile: +1(650) 223-4974
eMail: darco at deepdarc.com
Jabber: darco at deepdarc.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev