| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| IIB9: Schema Validation XMLNSC Parser |
« View previous topic :: View next topic » |
| Author |
Message
|
| akil |
 Posted: Mon Jun 15, 2015 6:54 am Post subject: IIB9: Schema Validation XMLNSC Parser |
 |
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
Hi
The documentation on the validation properties states
| Quote: |
If you enable message validation, and you select On Demand or Immediate for Parse Timing, validation errors might not be detected until later in the processing of a message by a message flow, or might never be detected if a portion of the message is never parsed. To make sure that all fields in a message are validated, either select Complete or, if the message domain is MRM, select Immediate and make sure that you resolve all unresolved types with a Composition of Choice or Message at the start of your message flow.
|
I understand from the above that, to completely parse the input (of a publicly available API), we'll use the setting as 'complete'.
But when this is set to 'complete' , is the service now susceptible to XML Denial of Service ? http://www.ws-attacks.org/index.php/XML_Document_Size_Attack ?
_________________
Regards |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Mon Jun 15, 2015 6:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Shouldn't that depend entirely on the transport you're using to receive the XML document?
Shouldn't you consider how you are exposing that transport to inputs from somewhere that could generate a denial of service attack? |
|
| Back to top |
|
|
| kimbert |
| Posted: Mon Jun 15, 2015 11:24 am Post subject: |
|
|
Jedi Council
Joined: 29 Jul 2003
Posts: 5542
Location: Southampton
|
There is more than one way to attack a system using an XML document. Not all of them will be prevented by using Parse Timing='On demand'.
_________________
Before you criticize someone, walk a mile in their shoes. That way you're a mile away, and you have their shoes too. |
|
| Back to top |
|
|
| akil |
| Posted: Mon Jun 15, 2015 8:26 pm Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
Hi
The transport is HTTP.
Agree, there are many possible attacks, and not all of them would have a single solution. Validating the incoming XML against a schema is some thing that should be in place would be one of the things to do , isn't it ? https://www.owasp.org/index.php/Data_Validation.
I understand that one should do the following to complete data validation:
1. Completely validate the document (& not only parts that are referenced), by using parse timing = 'complete'
2. Use Exception instead of ExceptionList to stop validation on the first error
Are there any other parameters that could be of relevance here?
While the documentation says XMLNSC is a streaming parser, does parse timing = 'complete' result in the full document getting loaded in memory (which would make it susceptible to large size XML document attacks) ?
[/list]
_________________
Regards |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jun 16, 2015 4:42 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So HTTP documents get very messy to send and use as they get larger than about 10 meg.
Again, you should probably have either configuration at your webserver or configuration at your firewall/web proxies to detect and limit the size of incoming documents. Ideally, both.
Yes, the point of a streaming parser is that it limits the amount of memory that is used - at least up front. If your code accesses the full document, or even the last element in the document, then it will still all get loaded into memory.
Yes, if you ask it to parse the complete document, then the complete document will get loaded into memory. Because it does indeed have to access the last element in the document. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
