vADC Forum

Reply
Occasional Contributor
Posts: 5
Registered: ‎06-04-2013
Accepted Solution

Handling XML Bomb

Hi All,

I am using Stingray 9.1 2000L series, I have got a live issue where I need to block certain incoming XML messages(bomb xml) which has an inline entity defined. Does anyone know of an in built feature on the stingray traffic manager to handle XML bomb messages. If not can this be handled using custom traffic script rules? If yes are there any packages available for the same?

Any help would be appreciated.

Thanks

Contributor
Posts: 74
Registered: ‎10-03-2011

Re: Handling XML Bomb

If you have no reason to allow in-line DTD, then you could simply deny them with this...


if ( http.getMethod() == "POST" ) {


  $body = http.getBody(1024);


  if ( string.regexMatch($body, "<!DOCTYPE.*?<!ENTITY") ) {


      log.warn("XML post with ENTITY Forbidden. Client: " . request.getRemoteIP() );


      http.sendResponse("403 Forbidden", "text/plain", "Inline DTDs are forbidden\r\n", "");


  }


}


But I tested the XML-Bomb against my Stingray (just for a laugh) and asked it to validate the document against a DTD. The parser detected the entity reference loop and spat out a failure. No adverse effects to Stingray. So it looks like you're pretty well defended out of the box if you have DTD you can validate against.

Cheers,

Mark



Occasional Contributor
Posts: 5
Registered: ‎06-04-2013

Re: Handling XML Bomb

Thanks Mark for this

But my preference is to use an in built feature if available before taking the route of traffic script rules.

Can Aptimizer be used for this?

Thanks

Rinu

Contributor
Posts: 74
Registered: ‎10-03-2011

Re: Re: Handling XML Bomb

Hi Rinu,

The aptimizer module is focussed on optimizing response data and doesn't do anything with incoming data.

The module which would be of use is the Stingray Application Firewall (SAF) module. The SAF has a handler for enforcing policies against malicious body content. The "InvalidBodyTextHandler" can be used to protect yourself from the XML-Bomb.

xml-bomb.png

The rule will check for in-line entities, and if the SAF is deployed in protection mode it will actively reject such requests. If you don't have the SAF module, then please contact your account manager for options.

Cheers,

Mark



Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.