Common XML DDoS attacks

SOAP and indeed XML based architectures are a common part of the web services middle ware architecture.

However due to the high resource cost of XML parsing, even simple mistakes in design of XML documents can have catastrophic effects on the stability of your architecture. This fact makes XML based architecture especially susceptible to DDoS attacks.

Listed below are some of the most common XML based attacks.

Parsing attacks

XML files sent via SOAP requests are usually automatically parsed. The following attacks are based on this “feature”

Coercive parsing attack

As discussed, parsing XML documents is an extremely taxing task. In this attack, the attacker sends an XML document that is deeply nested.

Creating such a document is extremely easy since not all of it needs to be loaded into memory however a DOM based parser is likely to run out of memory before it can open thereby, bringing your servers down.

SOAP Array Attack

This is another attack on memory. SOAP allows triggering of remote functions, in this case the XML payload triggers the creation of an extremely large array on the remote machine.

XML element count attack

Services that automatically parse incoming SOAP requests can be brought down by a request that has an unusually high element count.

XML attribute count attack

Quite similar to the above but now with a high attribute count. The perceptive reader may have noted that this kind of attack could be combined with the element count attack for a more potent outcome.

XML Overlong Names Attack

XML nodes are usually parsed to keys in key value pairs. This nodes are element names, attribute names or values and namespace definitions. Where the nodes are extremely long some parsers will fail.

Hash collision attack (HashDoS)

Hash Table is a data structure used to implement an associative array, a structure that can map keys to values

In XML documents Hash tables are used to store attributes and their corresponding value. The value of a certain key is mapped to a storage bucket through a hash function that takes the key as input. In cases where a weak hashing function is used, an attacker can intentionally create hash collisions leading to intense computations within the bucket.

DTD attacks

DTD is an acronym for Document Type Definition it defines the structure and legal elements and attributes of an XML document. You can read up more on it here

Below as some attacks targeted at it.

XML Entity Expansion Attack

Also called the Billion Laughs Attack there is nothing funny about this attack. In this attack the XML document is structured such that the DOM parser recursively resolves entities defined within its DTD.

The parser will run out of memory long before it can resolve the document.

XML External Entity DoS Attack

DTD’s can be defined externally and a rel provided. This attacks works by forcing your server to resolve a large entity defined externally, typically in a server which the attacker controls.

Most of this attacks can be prevented by immunizing your application against them. Some measures include:

  • Lazy loading of XML documents
  • Enforcing limit on attribute count
  • Memory threshold
  • CPU time threshold
  • Authentication of all requests

Have you ever experienced a DDoS attack? Talk to us on the comments below.


Published by


Software Project Manager