Billion laughs attack(en.wikipedia.org)
en.wikipedia.org
Billion laughs attack
https://en.wikipedia.org/wiki/Billion_laughs_attack
26 comments
Time to switch to JSON
Yep, there you can have direct code execution with some parses also... fun times. Creating objects out of untrusted data can be difficult.
If you're parsing XML then external entities (allowing local file inclusion or server side request forgery) are much more dangerous for you than this denial of service. OWASP has a cheat sheet for disabling XXE on a few different parsers:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Pr...
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Pr...
Is this just a 21st century zipbomb?
0: https://en.m.wikipedia.org/wiki/Zip_bomb
0: https://en.m.wikipedia.org/wiki/Zip_bomb
And here I thought this would be a variant of the hypothetical Chinese chair attack:
https://www.straightdope.com/columns/read/142/if-all-chinese...
This is why I switched from yaml to scl. (Rust)
https://github.com/Keats/scl
EDIT: In spite of those who are downvoting my comment without even replying, I'm leaving it anyway; cause sharing good software outweighs whatever loss they intend to inflict.
https://github.com/Keats/scl
EDIT: In spite of those who are downvoting my comment without even replying, I'm leaving it anyway; cause sharing good software outweighs whatever loss they intend to inflict.
Funny you should mention that. I found this while trying to decide which YAML library to use for Rust. https://github.com/dtolnay/serde-yaml/issues/53
Yep, that issue and https://github.com/chyh1990/yaml-rust/issues/102 discuss the problem. But with scl we get a clean slate.
Is Rust the Arch of programming languages?
"Btw I use Rust".
"Btw I use Rust".
I think that Rust has captured many developers that previously used Javascript, so it's their first introduction to things like static typing. As a result they are amazed that a compiler can show them errors in their code before it's run.
> the Arch of programming languages
I don't get your analogy.
I don't get your analogy.
I think they were getting at this:
How do you know someone uses "X"? Don't worry, they'll tell you.
How do you know someone uses "X"? Don't worry, they'll tell you.
How do you know if an individual is a vegan, does CrossFit, etc? Don't worry they'll tell you.
An elderly lady comes into the police station crying hysterically. "I've just been mugged!" she cries.
The desk sergeant asks, "Can you describe the mugger?"
"Not really, he grabbed me from behind. I know he's a man, bigger than me, and he's vegan."
"How on earth do you know he's vegan?"
"He bloody told me!"
The desk sergeant asks, "Can you describe the mugger?"
"Not really, he grabbed me from behind. I know he's a man, bigger than me, and he's vegan."
"How on earth do you know he's vegan?"
"He bloody told me!"
Reminds me of this: https://www.theonion.com/area-man-constantly-mentioning-he-d...
"...new iPhone..."
Interestingly, many browsers are still susceptible to this attack, for example when used in SVG files (WARNING: might crash your browser and/or operating system): https://jsfiddle.net/e3guLn08/
Browsers are susceptible to a server that generates an infinite HTML page (e.g. CGI shell script calling "yes <arg>"), and also to thing called JavaScript that can eat all your memory programmatically (and does exactly so on a regular basis).
A similar attack on CSS in browsers was shown recently here: https://cras.sh/
This was been around for well over a decade. Interestingly though, denial of service is the less interesting issue that external entity parsing comes with. It can lead all the way to data exfiltration and remote code execution.
This is loads of fun against batteries included web frameworks like rail, grails, play framework and so on. Not sure about now, but a few years ago basically all of them were susceptible to this and XXE and it was extremely difficult to disable in the XML parsers.
> A "Billion laughs" attack should exist for any file format that can contain references, for example this YAML bomb:
C preprocessor?
C preprocessor?
$ gcc -E - | wc
#define EXP(X) X X X X X X X X X X X X X X X X
#define LOL1 EXP(LOL)
#define LOL2 EXP(LOL1)
#define LOL3 EXP(LOL2)
#define LOL4 EXP(LOL3)
#define LOL5 EXP(LOL4)
LOL5
[Ctrl-D][Enter]
11 1048588 4194376
Not normally considered a "file format", though. People don't open a C preprocessor attachment in their e-mail only to have some application grind their PC and crash. Or use this for RPC calls and whatnot.