This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can I prevent XML Entity expansion attacks using Apigee

Posted on 09-14-2016 11:25 AM
hanselm
Staff
Reply posted on --/--/---- --:-- AM

Is there a suggestion or recommended approach to detect and potentially reject an XML payload that contains something like this:

<!DOCTYPE foo [
<!ENTITY a “1234567890” >
<!ENTITY b “&a;&a;&a;&a;&a;&a;&a;&a;” >
<!ENTITY c “&b;&b;&b;&b;&b;&b;&b;&b;” >
<!ENTITY d “&c;&c;&c;&c;&c;&c;&c;&c;” >
<!ENTITY e “&d;&d;&d;&d;&d;&d;&d;&d;” >
<!ENTITY f “&e;&e;&e;&e;&e;&e;&e;&e;” >
<!ENTITY g “&f;&f;&f;&f;&f;&f;&f;&f;” >
<!ENTITY h “&g;&g;&g;&g;&g;&g;&g;&g;” >
<!ENTITY i “&h;&h;&h;&h;&h;&h;&h;&h;” >
<!ENTITY j “&i;&i;&i;&i;&i;&i;&i;&i;” >
<!ENTITY k “&j;&j;&j;&j;&j;&j;&j;&j;” >
<!ENTITY l “&k;&k;&k;&k;&k;&k;&k;&k;” >
<!ENTITY m “&l;&l;&l;&l;&l;&l;&l;&l;” >
]>
<foo>&m;</foo>

So that the nested depth of the entity expansion over some limit can cause the request to be rejected. Unless I am mistaken, it does not look like XMLThreatProtection policy can handle this?

1 2 660
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
zubermohammad
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @hmiranda@apigee.com,

Java SE 5 has safeguarded for this type of attack. It limits the number of entity expansions to 64,000. This limit can be changed using the following System property:

-DentityExpansionLimit=100000

For more detailed explanation on the topic and how to check if your server is secured against such attack please check the blog Preventing XML Entity Expansion Attack in Java.

0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

How did you handle such situation within apigee?

0 Likes