I am working on an app which takes XML file as input and then processes it. We found out that the app is vulnerable to XXE DoS attack, namely famous Billion Laughs case. Before the file is processed, it is validated against schema. So, my question is, will the DoS attack take place during the validation? Or during the validation the XML entities are not expanded and hence the DoS attack will happen only after validation, when validated file is parsed?
XML External Entity Vulnerability DoS case: when the expansion happens?
177 Views Asked by Russell'sTeapot At
1
There are 1 best solutions below
Related Questions in XML
- Postgres && statement Error in Mybatis Mapper?
- Sorting items after building an XML feed?
- C# XML ModelBinding - ASP.NET Core 8 Web API - required field not found
- How can I create an automatic table of contents in docx without the text being bold?
- Odoo 16 Make Fields Readonly Using XPath
- Using similar tags for different objects in XML
- Android Studio problem like gradle sync project failed and plugin error, version 2023.2.1 Iguana
- error: cannot find symbol View root = inflater.inflate(R.layout.toolbar, parent, false);
- Android camera application restriction to 12 mp
- Azure Data Factory Copy Activity Only Importing First Row of XML file
- I am not able to remove space below the navigation view icon in android studio. What;s wrong with code?
- Field can be converted to a local variable ,convert field to local variable in onCreate method
- Deserialize XML with optional different name
- Retrieve tags from xml using python
- Getting attribute from xml and printing it error
Related Questions in VALIDATION
- Terraform valdiate that one of N variables is set to "true"
- How to validate if Confirm Password is same or not with the Password in React Native using ValidateJS?
- How to create yup schema for dynamic array of different objects
- Quintic Number Number Counting Hash Function
- DropdownButtonFormField doesn't apply custom InputDecoration style
- Is there a way to set a cells value based on the value this cell held at a certain time, even when the cell value changes over time?
- Multiple regex expressions to check mobile number in javascript
- Java Pojos - Setter-Call (Field Touched) Detection
- Input Field Required
- Angular restore ngModel input field to it's previous value
- Bean Validaton : org.springframework.web.bind.MethodArgumentNotValidException
- javax validation not working on spring boot
- How to show warning message for unmatched confirm password
- Flutter TextFormField validation with Firestore
- eval_set in CatBoostRegressor
Related Questions in BATCH-FILE
- .bat file - How can I return the value of a variable whose name depends on another variable concatenated with a string in a batch file?
- Discordbot(Python) who should start bat file(Minecraft server) can't find user_jvm_args.txt file
- Set req query output to a variable
- bat file creates a "corrupt" zip
- How to list several items in the dialog box for execution?
- "if contains" with forbidden special characters
- Overlaying frame number with ffmpeg
- Batch Script-Powershell MessageBox | How do I set TopMost within PS command line of Batch?
- Batch file no longer works correctly in Windows 11
- Trying to launch batch file from powershell, and immediately closes
- How to automate an SSH login with a batch file?
- Having trouble executing my program from a jar, using Jinput
- How can I unload Visual Studio projects via batch file/developer command prompt?
- How to use goto in nested loop in .bat script window
- How can I run this Powershell function from a batch file on windows?
Related Questions in DENIAL-OF-SERVICE
- Is it possible to reject excessively large queries on specific views?
- Snort - Trying to understand how this snort rule works
- Preventing denial of service from locking user accounts after too many attempts
- how to kill computation of a scala parallel collection
- Which kind of webapps can realistically be affected by the floating bug?
- smurf attack using C#
- Java SAX parser, How do I prevent character references entirely? (DoS attack)
- fortify Denial of Service: Regular Expression
- IIS headerWaitTimeout ssems to have no effect on slow HTTP header attacks
- Roundtripping DataContracts andDenial Of Service attacks
- Ineffective TCP SYN Flood from Meta Sploit Framework
- XML External Entity Vulnerability DoS case: when the expansion happens?
- Denial of service: regular expression
- WCF REST Service Denial of Service Defence
- Prevent XML DoS attack in ASP.NET webmethod
Related Questions in XXE
- Veracode XML External Entity Reference (XXE)
- How to disable External Entity Resolution in xerces C++ DOMLSParser
- XXE prevention via WSDLReader
- XML External Entity Vulnerability DoS case: when the expansion happens?
- How to disable XInclude when parsing XML?
- how to prevent XXE attack using java 1.6
- Prevent XXE Attack with JAXB
- XXE billion laughs attack seems not to be mitigated as expected by the Sonar recommended solution to prevent XXE attacks
- XML External Entity Injection: Hp Fortify issue in java 1.6
- How do I know whether my application is vulnerable to CVE-2020-13692?
- Clarifications on XXE vulnerabilities throughout PHP versions
- IllegalArgumentException: Not supported when implement sonarqube solution for "XML parsers should not be vulnerable to XXE attacks"
- How to Prevent XML External Entity Injection on TransformerFactory
- Resolving XXE for Oracle DomParser
- Validate DTD and XXE in XML using libxml2 objective c
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Basically, a parser MUST expand entities to validate a document (see 4.4.3 in XML recommendation), since your entities may include some markup, and build up a valid document.
So yes, the problem may occur during validation of the XML file.