Billion laughs attack

arkadiyt · on Jan 6, 2019

If you're parsing XML then external entities (allowing local file inclusion or server side request forgery) are much more dangerous for you than this denial of service. OWASP has a cheat sheet for disabling XXE on a few different parsers:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Pr...

robko · on Jan 6, 2019

Interestingly, many browsers are still susceptible to this attack, for example when used in SVG files (WARNING: might crash your browser and/or operating system): https://jsfiddle.net/e3guLn08/

kazinator · on Jan 7, 2019

Browsers are susceptible to a server that generates an infinite HTML page (e.g. CGI shell script calling "yes <arg>"), and also to thing called JavaScript that can eat all your memory programmatically (and does exactly so on a regular basis).

berbec · on Jan 6, 2019

Is this just a 21st century zipbomb?

0: https://en.m.wikipedia.org/wiki/Zip_bomb

tdurden · on Jan 6, 2019

The linked Wikipedia entry specifically references zip bombs as "a similar attack utilizing zip archives"

koolba · on Jan 6, 2019

Pretty sure this existed in the 20th century too.

AdmiralAsshat · on Jan 6, 2019

And here I thought this would be a variant of the hypothetical Chinese chair attack: https://www.straightdope.com/columns/read/142/if-all-chinese...

kristianp · on Jan 7, 2019

A similar attack on CSS in browsers was shown recently here: https://cras.sh/

kazinator · on Jan 7, 2019

> A "Billion laughs" attack should exist for any file format that can contain references, for example this YAML bomb:

C preprocessor?

  $ gcc -E - | wc
  #define EXP(X) X X X X X X X X X X X X X X X X
  #define LOL1 EXP(LOL)
  #define LOL2 EXP(LOL1)
  #define LOL3 EXP(LOL2)
  #define LOL4 EXP(LOL3)
  #define LOL5 EXP(LOL4)
  LOL5
  [Ctrl-D][Enter]
  11 1048588 4194376

Not normally considered a "file format", though. People don't open a C preprocessor attachment in their e-mail only to have some application grind their PC and crash. Or use this for RPC calls and whatnot.

sytringy05 · on Jan 7, 2019

This is loads of fun against batteries included web frameworks like rail, grails, play framework and so on. Not sure about now, but a few years ago basically all of them were susceptible to this and XXE and it was extremely difficult to disable in the XML parsers.

kerng · on Jan 7, 2019

This was been around for well over a decade. Interestingly though, denial of service is the less interesting issue that external entity parsing comes with. It can lead all the way to data exfiltration and remote code execution.

aussieguy1234 · on Jan 7, 2019

Time to switch to JSON

kerng · on Jan 8, 2019

Yep, there you can have direct code execution with some parses also... fun times. Creating objects out of untrusted data can be difficult.

mitchtbaum · on Jan 6, 2019

This is why I switched from yaml to scl. (Rust)

https://github.com/Keats/scl

EDIT: In spite of those who are downvoting my comment without even replying, I'm leaving it anyway; cause sharing good software outweighs whatever loss they intend to inflict.

henning · on Jan 6, 2019

Funny you should mention that. I found this while trying to decide which YAML library to use for Rust. https://github.com/dtolnay/serde-yaml/issues/53

mitchtbaum · on Jan 6, 2019

Yep, that issue and https://github.com/chyh1990/yaml-rust/issues/102 discuss the problem. But with scl we get a clean slate.

Midnightas · on Jan 6, 2019

Is Rust the Arch of programming languages?

"Btw I use Rust".

skocznymroczny · on Jan 7, 2019

I think that Rust has captured many developers that previously used Javascript, so it's their first introduction to things like static typing. As a result they are amazed that a compiler can show them errors in their code before it's run.

mitchtbaum · on Jan 6, 2019

> the Arch of programming languages

I don't get your analogy.

yareally · on Jan 6, 2019

I think they were getting at this:

How do you know someone uses "X"? Don't worry, they'll tell you.

vuln · on Jan 6, 2019

How do you know if an individual is a vegan, does CrossFit, etc? Don't worry they'll tell you.

sverige · on Jan 6, 2019

An elderly lady comes into the police station crying hysterically. "I've just been mugged!" she cries.

The desk sergeant asks, "Can you describe the mugger?"

"Not really, he grabbed me from behind. I know he's a man, bigger than me, and he's vegan."

"How on earth do you know he's vegan?"

"He bloody told me!"

felipemnoa · on Jan 7, 2019

Reminds me of this: https://www.theonion.com/area-man-constantly-mentioning-he-d...

michaelcampbell · on Jan 7, 2019

"...new iPhone..."