[jdev] Security-related thought experiment
Robert B Quattlebaum, Jr.
darco at deepdarc.com
Sat Mar 25 00:32:35 CST 2006
I was thinking the other day about a specific type of denial-of-
service attack which may possibly affect a number of servers in
active use today.
Imagine a c2s connection that has already been set up and is now
moving top-level stanzas. What would happen if I sent
<message to="randomjid at jabber.org"><body>
Followed by a stream of random UTF-8 characters? Assuming that those
random characters do not happen to contain <, >, or &, (which is
pretty easy to ensure), I would imagine that the process which has
the XML parser would get larger and larger until the process would
run out of memory. Boom.
This attack (in spirit) doesn't require a fully established jabber
stream, it only needs an opportunity to inject a large amount of data
into an XML element that is inside of a top-level stanza. This attack
could possibly work for attributes as well.
Limiting the size of a single stanza may or may not fix the problem,
depending on implementation. If the stanza size filter is applied to
the stanza after it has been parsed, then this isn't good enough--the
attack will still be successful because the stanza will never finish
parsing. However, if the parser kept track of how large the stanza
was getting as it was parsing it, then this attack can be avoided.
Any thoughts, or other methods of preventing this attack from being
successful? Or has this already been considered and "fixed"?
__________________
Robert Quattlebaum
Mobile: +1(650) 223-4974
eMail: darco at deepdarc.com
Jabber: darco at deepdarc.com
WWW: http://www.deepdarc.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20060324/78659416/attachment-0002.htm>
More information about the JDev
mailing list