XML entity extension attack code instance sharing

XMlEntityExpansion (attack) is similar to XMLEntityExpansion to some extent, but it mainly attempts to launch DOS attacks by consuming the server environment of the target program. This attack is implemented based on XMLEntityExpansion. you can create a custom object in xml doctype... XMl Entity Expansion (attack) is somewhat similar to XML Entity Expansion, but it mainly attempts to launch DOS attacks by consuming the server environment of the target program. This attack is implemented based on XML Entity Expansion.DOCTYPECreate a custom object definition Implementation. for example, this definition can generate an XML structure in the memory that is much larger than the original XML size, to exhaust the memory resources required for the normal and effective running of the network server. This attack method is also applicable to the XML serialization function module of HTML5. this module cannot belibxml2The extension package is identified as HTML.

XML Entity Expansion example

There are several ways to expand XML custom entities to achieve the expected depletion of server resources.

Generic Entity Expansion general object extension attack

Generic Object extension attacks are also called "Quadratic Blowup Attack". In this way, a custom object is defined as a very long string. When this entity is used in a large number of files, the object will be extended during each call to generate an XML structure that substantially exceeds the RAM size required by the original XML.

 ]>
     
  
   Now include &long; lots of times to expand    the in-memory size of this XML structure
      
  
   &long;&long;&long;&long;&long;&long;&long;    &long;&long;&long;&long;&long;&long;&long;&long;    &long;&long;&long;&long;&long;&long;&long;&long;    &long;&long;&long;&long;&long;&long;&long;&long;    Keep it going...    &long;&long;&long;&long;&long;&long;&long;...
  
 

By balancing the size of custom object strings and the number of objects used in the document body, you can create an XML document or string that is extended to the server's predictable size of RAM space. By repeating the request to occupy the server RAM, you can initiate a successful denial-of-service attack. The disadvantage of this method is that the memory consumption is based on simple multiplication, so the initial XML document or string itself needs to be large enough.

Recursive entity extension attack

Common Object expansion attacks require a large enough XML input data volume, while recursive object expansion attacks generate more powerful attack effects by saving average input words. This attack method relies on the XML parser for parsing to achieve exponential growth of small entity sets. With this exponential explosive growth, an input data volume that is much smaller than that used by general entity expansion attacks can actually grow significantly. Therefore, this method is called "XML Bomb" or "Billion Laughs Attack.

     
     
     
     
     
     
 ]>
     
  
   Explode in 3...2...1...&boom;
  
 

XML Bomb attacks do not require a large amount of XML data input that may be restricted by the program. The entity set grows exponentially like this, and the final extended text size is the initial&x0The second power of the object value. This is a huge and devastating bomb!

Remote entity extension attack

Both conventional and recursive object extension attacks depend on objects defined locally in the XML Document Type Definition, but attackers can also define external entities. This obviously requires the XML parser to initiate a remote HTTP request as we previously encountered when describing XML external entity injection attacks (XXE. Rejecting such requests is a basic security measure for your XML parser. Therefore, XXE protection also applies to XML entity extension attacks.

Although the above method can be used for defense, remote object extension attacks by enabling the XML parser to send a remote HTTP request to obtain the extension value of the referenced object. The returned results define the external entities required by other XML parser for the HTTP request separately. As a result, some seemingly non-aggressive requests will be quickly out of control and put a burden on the available resources of the server. In this case, if the request itself includes a recursive extension attack, the final result will be worse.

 ]>
     
  
   3..2..1...&cascade
   
  
 

The above attack methods may be more roundabout for DOS attacks, such as remote requests being adjusted to programs that target local programs or any other programs that share their server resources. This type of attack may cause self-damaging DOS attacks. XML parser attempts to parse external entities may trigger numerous requests for local programs and consume more server resources. This method is used to zoom in on the impact of DOS attacks by using XML external entity injection attacks (XXE) discussed earlier.

Defense against XML entity extension attacks

The following general defense measures are inherited from our defense against general XML external entity attacks (XXE. We should reject parsing of local files and remote HTTP requests by custom entities in XML, and use the following to apply globally to all internal applications:libxml2Function extensions written in PHP or XML are rejected.

libxml_disable_entity_loader(true);

It is true that PHP is famous for not playing cards in common sense, and it does not use conventional defense methods. In the document type declaration, conventional defense methods use the XML Document Type Definition to completely reject the definition of custom objects. PHP does define an alternative entity for defense functions.LIBXML_NOENTConstant, and DOMDocument::$substituteEntities Public attribute, but the defense effect using these two definitions is not obvious. It seems that we can only solve the problem in this way, but there is no better solution.

Although there is no better solution,libxml2The function does have built-in rejection of recursive object parsing by default. You need to know that if a recursive entity has a problem, it will make your error log as red as the Christmas tree. In this case, it seems that there is no need to specifically use a special defense method for recursive entities, even though we have to do something to preventlibxml2The function is suddenly stuck in the fault of parsing recursive entities.

The new threats are mainly from the brute-force Attack methods of Generic Entity Expansion or Quadratic Blowup Attack. Such attacks do not need to call remote or local systems, nor require entity recursion. In fact, the only defense is either to remove XML or to filter all XML containing document type declarations. Unless the required document type declaration is received by a secure and reliable source, XML is not used. For example, we accept HTTPS connections verified by our peers. Otherwise, since PHP does not provide us with the option to disable Document Type Definition, we can only build our own logic. Suppose you can call libxml_disable_entity_loader(TRUE)The subsequent program running is safe, this step has been deferred to when the node value affected by the expansion can be accessed again (however, it will never be accessible after the true check ).

$dom = new DOMDocument;$dom->loadXML($xml);foreach ($dom->childNodes as $child) {    if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {        throw new \InvalidArgumentException(            'Invalid XML: Detected use of illegal DOCTYPE'        );    }}

Of course, in libxml_disable_entity_loader SetTRUEThe above code can run normally, and the external entity reference will not be parsed when the XML is initially loaded. Unless the parser has a set of comprehensive control options for object parsing, the XML parser does not rely onlibxml2I am afraid this is the only defense measure when the function is parsed.

If you want to use the SimpleXML function, remember to usethe simplexml_import_dom()Function to convert verifiedDOMDocumentProject.

Original article address: Injection Attacks

OneAPM for PHP can go deep into all PHP applications to complete application performance management. it can go deep into all PHP applications to complete application performance management and monitoring, including visibility of code-level performance problems, fast identification and tracing of performance bottlenecks, Real User Experience Monitoring, server monitoring, and end-to-end application performance management. For more technical articles, visit the OneAPM official technical blog.

The above is the details shared by the XML entity extension attack code instance. For more information, see other related articles in the first PHP community!