XML Parser denial of service and xsd:any

By Bryan Rasmussen
June 22, 2008

It's pretty easy to do a denial of service attack on parsers by nesting elements too deep or putting too many elements into your XML instance for the parser to deal with, as long as the parser fails gracefully in such a situation it isn't a problem. More advanced attacks exist using entity expansion.

The severity of these attacks can be affected by whether or not one uses the DOM, SAX or other APIs. It's often the case that strict validation provides protection against the attacks, but obviously not in cases where the grammar has been designed to allow infinite levels of nested elements, or in cases where xsd:any is used in such a way that the ability to place an unlimited size tree inside the otherwise restricted grammar is once again open.

This can of course be protected against by specifying that the contents of ones any must be validated strictly, for example:

<xs:element name="extension"> <xs:complexType> <xs:any namespace="##any" processContents="strict"/> </xs:complexType> </xs:element>

This however means that in your validation you will have to maintain all possible extensions to your format, meaning that there will have to be a framework established for ratifying new extensions to the format. Lots of wonderful committee work is the likely result.

You might also be interested in:

Popular Topics


Or, visit our complete archives.

Recommended for You

Got a Question?