XML Parser Evaluation
For some time now, we've been researching in excruciating detail the prevalence of DTD attacks on different XML parsers.For a quick recap which attacks are possible, see our DTD Cheat Sheet post.
In this post, we present you the results in a nutshell.
The information presented here is based on this masterthesis which covers the respective results in greater detail.
Test Methodology
We identified 16 test vectors, each testing a specific attack vector (e.g. XXE, various kinds of DoS, XXE parameter entity,...). We ran these tests against the default parser configuration and call these therefore core tests.
Additional tests are based on the same test vectors, however, we executed them against custom (modified) parser configurations, indicating the effect of specific features of a parser.
The complete test set is available on github.
Results
We analyzed the following parsers and summarized the test results in Table 1. In addition, we show which attacks cannot be mitigated indicated by an asterisk.Countermeasures
To keep this post short we only provide keywords for available countermeasures.More information on how to apply a specific countermeasure is available in the corresponding test files available on github.
A description of a specific countermeasure is available in the masterthesis.
Just navigate to the corresponding section (e.g. Ruby -> REXML) and follow the instructions from there on to get the information you are interested in.
Ruby
REXML
- DoS attacks (A built-in threshold limits the size to 100 MB) - Set the features entity_expansion_limit or entity_expansion_text_limit
Nokogiri
- DoS attacks - No Countermeasures
Python
minidom
- DoS attacks - No Countermeasures
etree
- DoS attacks - No Countermeasures
lxml
- DoS attacks - Set the feature resolve_entities = false
- XXE attacks - Set the feature resolve_entities = false
xml.sax/pulldom
- DoS/XXE/URL Invocation - No Countermeasures
- Quirks: Parameter Entities are not processed within EntityValue
defusedxml.*
- No attacks possible
.NET
XmlReader
No attacks possible
XmlDocument
- DoS attacks (a built-in threshold limits the size to 10 MB) - Apply an XmlReader
- XXE/XXEP/URL Invocation - Apply an XmlReader
PHP
XMLReader
- No attacks possible
- Quirks: parser features != libxml2 features
SimpleXML
- DoS attacks - No Countermeasures
DOMDocument
- DoS attacks - No Countermeasures
Perl
XML::Twig
- DoS/XXE attacks - Set the feature NoExpand
- Quirks: Effectiveness of features depends on case-sensitivity and context
XML::LibXml
- DoS attacks - No countermeasures available
- Vulnerable to XXE/XXEP/URL Invocation - Set the feature load_ext_dtd = false
Java
Crimson
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- URL Invocation attacks - Apply an EntityResolver
- Quirks: The features external-general-entities and external-parameter-entities cannot be set. (always true)
Piccolo
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- Quirks: The state of the feature external-parameter-entities is reported incorrectly.
Xerces SAX/DOM
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- Information: use the feature disallow-doctype-decl = false as a countermeasure for all attacks.
Oracle SAX/DOM
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- Quirks: The features external-general-entities and external-parameter-entities are not supported.
Authors of this Post
Christopher Späth Christian Mainka (@CheariX)
Vladislav Mladenov