Posted by Andrea Nasato Sun, 15 Jan 2006 15:22:00 GMT

Today I want to introduce you into XOM, which is one of the two arguments I’m going to talk about in our next meeting (the second is JSF 1.2). What is XOM? Someone could think it’s yet another XML library. In part that’s true.


Posted in  | Tags ,  | 6 comments

JAXP 1.3 and DoS attacks

Posted by Andrea Nasato Sun, 13 Nov 2005 07:36:00 GMT

One of the new aspects introduced in JAXP 1.3 is the opportunity to specify the security level of the SaxParser used. The target of this feature is to prevent the application from DoS (Denial of Service) attacks, which use some vulnerabilities of XML. There are two main attack categories, let’s see them:

  1. Entity Resolution: suppose that XML stream requires a DTD and this DTD is in an external server and not local to your application. The parser requests the DTD to the server, which can send the DTD slowly or can give it malformed: in this case the parsing stops indefinitely. The solution to this problem is to set to a false value these properties:
    • parser.setFeature(   "http://xml.org/sax/features/external-general-entities",   false)
    • parser.setFeature(   "http://xml.org/sax/features/external-parameter-entities",   false)
    In this way the parser doesn’t call the external server to resolve the DTD.
  2. Overflow attack: XML doesn’t give a limit to the number of attributes of an element, and to the length of an element name. Overflow attacks start from this observation, and their objective is stop the server from fulfilling other requests: if the parser uses the DOM API it maintains a tree representation of XML in memory. When the parser encounters such XML streams it starts allocating objects for each attribute, saturating server memory. If you have such a problem and you use JAXP 1.3 you can set this property: http://javax.xml.XMLConstants/feature/secure-processing. With this property set, your parser rejects this kind of XML streams. You can have notification of such event in the fatalError method of the handler registered with the parser.

So if your boss is paranoid, or if your services could effectively be attacked in such a way, use JAXP 1.3 and those simple rules. If you want more information about JAXP 1.3, this is a good link. For a complete description of DoS attacks with XML this is a good tutorial.

Posted in  | Tags  | no comments