2015 IEEE International Conference on Software Quality, Reliability and Security

Known XML Vulnerabilities Are Still a Threat to

Popular Parsers and Open Source Systems
Sadeeq Jan, Cu D. Nguyen, Lionel Briand
Interdisciplinary Centre for Security, Reliability and Trust
University of Luxembourg, Luxembourg
Email: {sadeeq.jan,duy.nguyen,lionel.briand}@uni.lu

Abstract—The Extensible Markup Language (XML) is exten- XML External Entities (XXE). First, among publicly available
sively used in software systems and services. Various XML-based parsers, 13 of them were picked that are widely used by
attacks, which may result in sensitive information leakage or
denial of services, have been discovered and published. However,
projects hosted at GitHub and Google Code, the two most
due to development time pressures and limited security expertise, popular open source repositories. We then submitted to each
such attacks are often overlooked in practice. In this paper, parser a set of XML files carefully selected according to
following a rigorous and extensive experimental process, we study a systematic test strategy. These test files can detect if the
the presence of two types of XML-based attacks: BIL and XXE in parser is vulnerable to the two XML-based attacks. Finally,
13 popular XML parsers. Furthermore, we investigate whether
open-source systems that adopt a vulnerable XML parser apply
we observed the behaviour of the parsers in terms of memory
any mitigation to prevent such attacks. Our objective is to provide consumption, CPU time, and parsing results in order to assess
clear and solid scientific evidence about the extent of the threat their vulnerability. Moreover, we also investigated, based on
associated with such XML-based attacks and to discuss the 628 open source projects that use a vulnerable parser, whether
implications of the obtained results. Our conclusion is that most developers properly configured the parser to thwart these
of the studied parsers are vulnerable and so are systems that use
them. Such strong evidence can be used to raise awareness among
XML-based attacks or adopted other mitigation measures. The
software developers and is a strong motivation for developers to obtained results are very alarming: most of the selected parsers
provide security measures to thwart BIL and XXE attacks before are vulnerable to BIL and XXE attacks, and no measures are
deployment when adopting existing XML parsers. taken to prevent such attacks to harm the systems using these
Index Terms—XML Vulnerabilities (BIL, XXE), XML Parsers, parsers.
Security Testing.
The key contribution of this paper includes a large-scale,
systematic experimental assessment of widely-used and well-
I. I NTRODUCTION
known XML parsers and a large number of systems that
XML is the enabling technology used in most of today’s use those parsers, with respect to two common XML-based
web services for exchanging data between service providers attacks. The obtained experimental results provide an unbiased
and consumers. XML is also widely used to store data and con- and extensive evidence of the lack of mitigation for such
figuration files that govern the operation of software systems. attacks. In turn, this can help raise awareness among software
However, a dozen of XML vulnerabilities have been recently developers that appropriate security measures are required for
uncovered and reported [5], [14]; they provide opportunities using such vulnerable XML parsers.
for denial of service attacks or malicious data access and The remainder of the paper is structured as follows. Section
manipulation. As a consequence, many systems that rely II provides detailed background on the two studied XML-
on XML are at risk if they do not properly mitigate these based attacks and discusses related work. Section III describes
vulnerabilities. Such systems include (i) web services, (ii) our study: procedure, results, and discussion. Finally, Section
XML processors, and (iii) other systems that read XML input IV concludes the work.
data or configurations.
The popularity of XML and its wide adoption in software II. BACKGROUND AND R ELATED W ORK
systems make it an attractive target for attackers. A recent
study has revealed that web-based systems experience up to A. Background
26 attacks per minute [1]. Given the fact that XML is a core Standardised by the W3C [2], Document Type Definition
technology of web services and is adopted in many other (DTD) is a mechanism to define legal building blocks (e.g.,
systems, attacks that target XML vulnerabilities are, therefore, elements, types, or content) of XML documents [4]. Many
likely to be frequent. In general, this large number of attacks XML parsers support DTD. However, when these parsers are
and their successful exploitations are attributed to the lack of used improperly or the developers are unaware of such a
a secure coding practice, insufficient training and expertise of DTD support feature, the resulting software systems might be
developers, and inadequate security testing before deployment. vulnerable to DTD-based attacks. XML Billion Laughs (BIL)
In this paper, we test popular parsers for two of the most and XML External Entities (XXE) are two such attacks. This
common XML-based attacks, XML Billion Laughs (BIL) and section describes these attacks and their impact in detail.

978-1-4673-7989-2/15 $31.00 © 2015 IEEE 233

DOI 10.1109/QRS.2015.42
 1) BIL: BIL, also known as ‘XML Bomb’, uses the concept B. Related Work
of XML entity reference to launch denial of service attacks.
There is a large research body investigating the potential
An XML entity is a variable defined for creating a reference
exploits in web services, e.g., [7], [10], [12], [14], [15], [20],
to some content in the document or external data. In this
[22]. Tiwari and Singh [22] described various attacks on
type of attack, a block of XML is created that is well-formed
atomic as well as composite web services, including denial
(conforms to W3C syntax rules for XML) [2] but forces a
of service and injection attacks (SQL/XML/XPATH) along
target parser to consume a large amount of resources (Memory
with their impacts and countermeasures. Similarly, Gupta and
or CPU).
Thilagam [14] provided insights about various forms of XML-
Figure 1 is an example that can be used for this kind of
based attacks on web services and possible countermeasures.
attack. In the example, 10 entities (‘lol’-‘lol9’) are created
XML oversize payload (here referred to as BIL) and XXE at-
where each entity contains 10 references to the previous entity.
tacks are two out of 18 attacks against web services described
The XML parser has to parse the entity ‘&lol9;’ that is
in the paper. Their descriptions are limited and no wide scale
encountered in the root element ‘lolz’, which further contains
experiment on parsers and systems is performed to assess the
several entity references ‘&lol8;’. Because of this recursion,
impact of these vulnerabilities in practice. Orrin [18] discussed
when the parser resolves all entity references found in those
the SOA/XML Threat Model and the new XML/SOA/Web
10 entities in this XML document, it expands to one billion
2.0 attacks and threats in detail. XML attacks are classified
copies of the first entity, occupying a very large amount of
into four main categories: Payload/Content Threats, XML Mis-
memory.
use/Abuse, XML Structure Manipulation, and Infrastructure
The target of BIL is a denial of service attack on XML Attacks. BIL and XXE attacks are discussed under the XML
parsers that may lead to the unavailability of systems that Structure Manipulation category.
use such parsers. The impact of this vulnerability can be very
Automated approaches to detecting vulnerabilities in web
dramatic. With a very small XML file (a few hundred bytes)
service frameworks (containers) have been investigated, e.g.,
an attacker can occupy several gigabytes of memory and can
[8], [6], [16], [11], [17]. Mainka et al. [16] described their
also keep the CPU busy for a long time, effectively preventing
approach to automated penetration testing of web services
legitimate traffic from being processed. In order to ensure the
frameworks. They implemented a tool called WS-Attacker. It
availability of web services and systems using XML Parsers,
is extensible with additional plugins for web service specific
it is very important to test the parsers for the presence of BIL
attacks. Evaluation has been performed on some web services
vulnerabilities.
frameworks, e.g., Apache Axis21 and JBoss2 , to detect two
2) XXE: XML External Entities allow the inclusion of data
web service specific attacks: WS-Addressing spoofing3 and
dynamically from a given resource (local or remote) at the
SOAPAction4 . Oliveira et al. [17] developed a similar pen-
time of parsing. This feature can be exploited by attackers
etration testing tool, WSFAggressor, for security testing of
to include malicious data from external URIs or confidential
web services frameworks. In fact, this tool is an extension
data residing on the local system. If XML parsers are not
of the WS-Attacker using a small set of its functionality but
configured to prevent or limit external entities, they are forced
providing more web service specific attacks. Chang et al. [11]
to access the resources specified by the URI [3].
Consider the following simple XML: proposed a fuzz testing approach to vulnerability identification
and analysis in web service architecture.
<?XML version="1.0"?> Prevention and detection approaches to XML Denial of
<!DOCTYPE myFile [
<!ELEMENT myFile ANY >
Service (XDoS) Vulnerabilities in web services have been
<!ENTITY xe SYSTEM "file:///etc/passwd"> investigated. Falkenberg et al. [13] discussed some techniques
]> for targeting XML-based message formats using various XML
<myFile>&xe;</myFile> properties and developed an approach to XDoS penetration
testing of web services. The approach is based on measuring
This is a well-formed XML document. During parsing, the
deviations in response time of a web service between original
parser will replace the external entity ‘&xe;’ with the content
(unchanged) and tampered requests. Suriadi et al. [21] investi-
of the system file ‘/etc/passwd’, which contains confidential
gated the XDoS vulnerabilities in few web services platforms
information and might be disclosed. Another example, if the
and described the corresponding effects on CPU and memory
URI ‘file:///etc/passwd’ is replaced by a link to a malicious
consumption of the target. Other similar work on XDoS can
server that never responds, the parser might end up waiting,
be found in [9], [19], [24].
thus causing delays in the subsequent processes.
Successful exploitation of this vulnerability may result In summary, existing work has discussed various XML
in sensitive data disclosure, denial of service, or gaining vulnerabilities, their impact, and how to detect them in web
unauthorized access to the system resources. If an XML services and their containers. However, no work has been
parser does not block external entity expansion and is able 1 http://axis.apache.org
to access the referred content, one user may be able to gain 2 http://www.jboss.org
unauthorized access the data of other users, leading to a breach 3 http://www.ws-attacks.org/index.php/WS-Addressing spoofing
of confidentiality. 4 http://ws-attacks.org/index.php/SOAPAction spoofing

234
 <?XML version="1.0"?>
<!DOCTYPE lolz [
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]>
<lolz>&lol9;</lolz>

Fig. 1. Example of an XML Bomb, an attack that uses the reference mechanism in XML.

carried out to study, in a systematic and rigorous manner, the XML parsers. In total, we selected the 13 most commonly used
presence of XXE and BIL vulnerabilities in modern XML parsers, e.g., the standard Java DOM, Python ETree, Microsoft
parsers and open source systems, which is the goal of this XML parser (MSXML). Table I lists these parsers, their cur-
paper. rent versions and languages, and provides short descriptions.
We evaluated the adoption of the selected parsers in GitHub5
III. E XPERIMENTAL S TUDY and Google Code6 to assess how widely they are used in
This section describes our study about the security of practice. GitHub and Google Code are highly popular open
the most popular parsers and open source software systems source hosting systems. Though there exists a few more
that use them, with respect to XML-based attacks. First, we project hosting systems, such as sourceforge.net, we focused
introduce our research questions and justify our selection of on GitHub and Google Code since they do index source code
subject parsers and systems. Second, we discuss the procedure very well, thus making it easier to query for the use of XML
that we follow to conduct the experiments. Finally, we discuss parsers in the source code of hosted projects.
the implications of the findings and provide recommendations On GitHub, for the Java parsers we used its search feature
for developers. to query for the XML parsing classes. For the other parsers,
the queries are conjunctions of the name of the corresponding
A. Objectives
XML processing classes or libraries and the names of the
We investigate two research questions: methods that parse XML inputs, e.g., “xml.etree.ElementTree”
• RQ1: To which extent are BIL and XXE attacks success- AND “parse”. On Google Code, we used Google Search7 with
ful in modern XML parsers? a site directive to narrow the search to solely code.google.com,
• RQ2: Do software systems, which use one of the vul- and the queries were similar to those for GitHub. For both
nerable parsers, apply mitigation techniques for BIL and repositories, we filtered the results to the specific language that
XXE attacks? a parser supports. Table II shows the frequency with which
We scoped our research by focusing on parsers that are in- these parsers on GitHub and Google Code were adopted.
tegrated with modern programming languages and are popular These numbers might be over-approximated since the search
in open source systems. We expect such parsers to be widely can return code that was commented out or unused (discussed
used in practice. We focus on parsers since, when XML inputs in Section III-E). The total number of adoptions of the
are submitted to a system, an XML parser used in the system parsers in both repositories goes above half a million. Except
needs to treat those inputs first. And if the parser is vulnerable, WOODSTOX, which is adopted about 500 times, the others are
the impact can be escalated to its encompassing system. In much more frequently used, ranging from a few thousand to a
fact, there exist many other proprietary parsers. These parsers hundred thousand times. This clearly shows that the selected
can potentially also be vulnerable to BIL and XXE if their parsers are widely used.
developers lack knowledge about such attacks. However, they C. Experimental Procedure
are out of the scope of our study.
Our experimental procedure consisted of the following
B. Subject Selection steps: (i) writing code to invoke each parser and pass XML
We first selected the parsers that come with modern pro- 5 https://github.com
gramming languages, including Java, Python, PHP, Perl, C#. 6 https://code.google.com

Then, we expanded our selection to widely-used, open-source 7 http://google.com

235
 TABLE I
L IST OF 13 POPULAR XML PARSERS SELECTED FOR OUR ASSESSMENT.

No Parser Language Version Short Description

1 JDOM2 Java 2.0 An XML library built specifically for Java, available
at www.jdom.org
2 NanoXML Java 2.2 A small non-validating parser for Java, available at
nanoxml.sourceforge.net/orig
3 NanoXML-LITE Java 2.2 A successor NanoXML built for performance
4 Std-DOM Java 1.7 The standard DOM parser built in Sun/Oracle Java
5 Std-SAX Java 1.7 The standard SAX parser built in Sun/Oracle Java
6 Std-STAX Java 1.7 The standard STAX parser built in Sun/Oracle Java
7 WOODSTOX Java 4.2 A high-performance XML processor, available at
woodstox.codehaus.org
8 XERCES-JDOM Java 2.11 The Apache Xerces2 DOM parser, available at
xerces.apache.org/xerces2-j/dom.html
9 LXML-ETREE Python 3.3.5 A Python XML parser available at lxml.de
10 Std-ETREE Python 2.7.6 The standard XML parser built in Python
11 PERL(XML::LibXML) Perl 5.18.2 A Perl Binding for libxml2, tested in OSX 10.9
12 PHPDOM PHP 5.5.9 The standard DOM parser built in PHP
13 MSXML (DOMDocument) C#, Javascript,... 8.0.0 The Microsoft XML parser (MSXML) widely used
in Windows

TABLE II
T HE USE OF THE PARSERS IN OPEN SOURCE SYSTEMS , DATA COLLECTED FROM G IT H UB AND G OOGLE C ODE AS OF AUGUST 12 TH , 2014.

Parser Query GitHub Google Code

JDOM2 org.jdom2.input.SAXBuilder 2,861 9,380
NanoXML net.n3.nanoxml.IXMLParser 1,410 291
NanoXML-LITE nanoxml.XMLElement 6,057 4,380
Std-DOM javax.xml.parsers.DocumentBuilder 112,638 58,900
Std-SAX javax.xml.parsers.SAXParser 43,307 11,200
Std-STAX javax.xml.stream.XMLStreamReader 84,826 4,840
WOODSTOX org.codehaus.stax2.XMLStreamReader2 252 251
XERCES-JDOM org.apache.xerces.parsers.DOMParser 3,444 1,440
LXML-ETREE “lxml import etree” + parse 16,012 21,200
Std-ETREE “xml.etree.ElementTree” + parse 27,905 43,100
PERL(XML::LibXML) “XML::LibXML” + parse file 1,024 990
PHPDOM DOMDocument + loadXML 71,217 32,300
MSXML (DOMDocument) MSXML.DOMDocument + load 24,671 565
Total 395,624 188,837

files as input, (ii) preparing representative XML input files ...

that can apply BIL and XXE attacks, and (iii) running each try {
parser to parse every prepared XML input files and analysing df= DocumentBuilderFactory.newInstance();
docBuilder= df.newDocumentBuilder();
CPU time, memory used, and the outputs to determine whether docBuilder.parse(inputFile);
the parser is vulnerable to BIL or XXE. We define a parser as } catch (Exception e){
XXE-vulnerable if it attempts to expand the content of an XML ...
input file to include a system file, a user file, or an external For the BIL category, we wrote a simple tool that can
resource (such as from a URL to a web page). We consider a generate XML files (XML bombs) of desired size to reveal
parser as BIL-vulnerable if it requires exceptionally high CPU BIL vulnerabilities. Each XML bomb is characterised by
time and memory when parsing XML Bombs in comparison the number of recursive reference loops and the number of
to parsing regular XML files (inputs that a system expects) of references per loop. The example in Section II has a size of
a similar size. 10x10. In our experiments, we prepared a set of 10 XML
For each parser we wrote code that invokes the parser and bombs of sizes 5x10, 6x10, ..., 15x10.
gives a file path as input to the parser. We made sure that such For the XXE category we selected three XML files, called
code is minimal: all it does is to instantiate the parser class XXE attacks, for the parsers: the first one has an entity that
and invoke a parsing method, without changing any default points to a UNIX system file (/etc/passwd), the second one
property of the parser. We observed that this is a common points to a user file in the same directory of the XML files
usage pattern of developers when they adopt a parser, keeping (user.txt), and the last one points to a Windows system file
every property to default. Following is an excerpt of code that (c:\\ Windows \win.ini). These files represent user and system
we wrote to invoke Std-DOM: files of the Linux, Mac OSX, and Windows operating systems.
It is important to note that this testing methodology can be

236
reused to test new parsers for BIL and XXE attacks.
D. Results on the Parsers
XXE: Concerning XXE, we manually inspected the results
obtained from each parser when they were fed with the three
XXE attacks. We found that the vulnerable parsers attempt
to expand the parsing results to include the content of the
referred files, specified in the XXE attacks. If the expansion
is successful, the content of the referred file (e.g., /etc/passwd)
is included in the parsing result. Otherwise, an exception
stating an access permission error is returned. Nevertheless, Fig. 3. An output example of Google Chrome that recognises an input XML
Bomb and raises an exception.
both cases indicate an XXE vulnerability because the parsers
try to access the content of the referred file. The other non-
vulnerable parsers blocked the entity expansion and returned
an error reporting the issue.
As a concrete example, Figure 2 depicts the parsing result
of a vulnerable parser where the parser was able to acquire
the content of the file referred to by the entity in the XML
file. In this example, this content has been included within the
tag <foo>.

Fig. 4. An output example of Microsoft Internet Explorer that uses a BIL-

Fig. 2. An output example of Microsoft Internet Explorer that uses a XXE- vulnerable parser. The browser expands recursively the content of an XML
vulnerable parser. The browser expands the content of a text file referred to Bomb, occupies the system’s CPU and memory, and renders the system
by the XXE attack and displays it. irresponsive.

BIL: Regarding BIL, we observed the CPU time and

memory consumption of each parser when parsing each of
the generated XML bombs. The size of each of these XML
bombs was less than 1KB. Since regular XML files of size
ranging from 1KB to 10KB require a small amount of memory
(less then 1Mb in most cases) and a second of CPU time,
the generated BIL attacks with similar size should result in
similar behaviour if a parser is not vulnerable. Moreover, a
non-vulnerable parser should be able to detect malicious entity
reference loops in input XML files and raise an exception.
Otherwise, when a parser exhibits significant deviation in
terms of memory consumption and CPU time, it is regarded
as BIL vulnerable.
As an example, Figure 3 represents the parsing output
of an XML bomb file where the parser detected an entity
reference loop. This is considered to be the desirable behaviour
of the parser. However, some parsers could not detect these
entity reference loops in our experiment, thus, making them
vulnerable to BIL attacks. As an example, Figure 4 shows the
parsing result of the same XML bomb file by a vulnerable
Fig. 5. Memory consumption of the parsers when parsing XML Bomb files
parser where it could not detect the entity reference loops and of different sizes (specified in Mx N , M is the number of recursive reference
kept expanding the entity “lol”. loops; N is the number of references per loop).
Figures 5 and 6 depict the memory and CPU time required
for the eight BIL-vulnerable parsers to parse XML bombs

237
of different sizes. We observe that the amount of memory TABLE III
S UMMARY OF BIL AND XXE VULNERABILITIES IN THE PARSERS . W E
required to parse XML bombs increases exponentially, for REPORT WHICH PARSERS ARE VULNERABLE TO BIL AND XXE.
all the vulnerable parsers. For the XML bomb of size 6x10,
the parsers require at least 33Mb RAM to parse the input.
Parser Vul. to BIL Vul. to XXE
When the size is equal or greater than 7x10, the amount of JDOM2 Yes Yes
memory consumed increases significantly, from 200Mb up to NanoXML Yes Yes
8Gb, which is the limit we set for each run. NanoXML-LITE No No
Std-DOM Yes Yes
Std-SAX Yes Yes
Std-STAX No No
WOODSTOX No No
XERCES-JDOM Yes Yes
LXML-ETREE No No
Std-ETREE Yes No
PERL(XML::LibXML) Yes Yes
PHPDOM No No
MSXML (DOMDocument) Yes Yes
Total 8 7

of XML processing library, Apache Xerces10 , is present in

Java Classpath. Thanks to its dynamic binding feature, Java
uses Apache Xerces for parsing XML instead of its internal
implementation, making Std-DOM and Std-SAX vulnerable.
To summarize, regarding research question RQ1 we found
that:
BIL and XXE attacks are successful in many modern
XML parsers. Among the ones selected for experimen-
tation, more than half are vulnerable.
Fig. 6. CPU time required for the parsers to parse XML Bomb files of
different sizes (specified in Mx N , M is the number of recursive reference E. Results on Open Source Systems
loops; N is the number of references per loop).
In the previous section, we reported that many parsers,
Comparing to the memory consumption, the results with including the most adopted one (Std-DOM), are vulnerable to
respect to CPU time differ slightly. Std-ETREE and Perl BIL and XXE attacks. During our study, we also experienced
(XML:LibXML) require less than 2 minutes to parse BIL many applications that crashed or hung when opening an
files up to size 9x10 thanks to their fast underpinning XML XML bomb file, such as Microsoft Visual Studio Express
processing library8 . The others demand much more CPU time, 201311 . Therefore, we extended our study to investigate the
from 51 minutes with BIL 7x10, up to a few hundred of research question RQ2 to see whether software systems that
minutes. The CPU time and memory consumption of the use vulnerable parsers properly prevent BIL and XXE attacks.
Java parsers were measured on a Linux node (2.4GHz, 1024 Specifically, we picked a large number of open source
Gb RAM) of the UL HPC platform [23]. For the others, systems that adopt Std-DOM and are hosted on GitHub. Std-
we used a Mac (3.5GHz, 16Gb RAM). This clearly shows DOM is the most used parser as Table II has shown, and
the overwhelming cost in terms of CPU time and memory GitHub enables us to quickly search and download source
consumption when a vulnerable parser undergoes BIL attacks. code for analysis. We used the same query as used in Ta-
Table III summarises the results that we obtained. Out of 13 ble II for Std-DOM:“javax.xml.parsers.DocumentBuilder” on
parsers of different languages, 8 (61.53%) are vulnerable to GitHub. Among the results, we selected the first 1000 Java
BIL and 7 (53.85%) are vulnerable to XXE. It is surprising that source files that contained the query keyword. We then further
more than half of the parsers (most of them are extensively filtered all files that did not actually parse XML inputs (e.g.,
used, see Table II) neglect these vulnerabilities. If the adopters some classes import “javax.xml.parsers.DocumentBuilder” but
of the parsers remain unaware of their presence, it is highly do not use it) and thus obtained 749 Java classes belonging
likely that their systems will be at risk due to BIL or XXE to 628 open source projects. Table IV shows a sample of
attacks. 99 of them for references. All these classes together with
Since Std-DOM and Std-SAX are very popular, we have other artefacts used in our experiments are available at http:
investigated further and found out that they are vulnerable //people.svv.lu/sadeeq/bilxxe.
from version 1.5 backward9 . From version 1.5 to 1.7, these Going back to the over-approximation concern that we
parsers are vulnerable only when the original implementation mentioned in Section III-B about the number of adoptions
8 libxml2, 10 http://xerces.apache.org
available at http://xmlsoft.org
9 http://docs.oracle.com/javase/1.5.0/docs/guide/xml/jaxp/ 11 http://www.visualstudio.com/en-us/products/visual-studio-express-

JAXP-Compatibility 150.html vs.aspx

238
 TABLE IV
A SAMPLE OF 99 OPEN SOURCES PROJECTS AMONG THOSE SELECTED IN OUR STUDY. T HE PROJECTS ARE ACCESSIBLE BY APPENDING THESE NAMES TO
GITHUB . COM , AS OF AUGUST 2014.

/godfreynolan/AndroidBestPractices /AuScope/MDU-Portal /v5developer/maven-framework-project

/970815940/desginModel /kozakvoj/PPM /0x17/Pecker
/jack2w/microcard /jab416171/Android-Battleship-Client /mmpp/amazon-rest-api
/dippe/RooGo /bobfreitas/http-client-tester /rkday/jsipp
/mavenlab/jetset /khassen/JavaCollectionFichierJaxBInitiation /lshain-android-source/external-robolectric
/iambus/xquery-b /eyupdalan/edalanxmlgettersaver /xpavlic4/skgaAndroid
/cpliakas/solr-config-validator /bohdantan/task 3 /mindblender/uPortal-old
/RamKancharla/2012 R3 /leandersabel/uPortal /mltech/mlt-lib
/rlm33/TPV-RASS /tsaikd/KDJLib /renatoathaydes/OsgiMonitor
/brooklyncentral/brooklyn /Gawkat/TimeWarpEngine /ImpressiveCode/ic-depress
/Emmsii/Dungeon-Crawler /screamconjoiner/jPath /BBK-PiJ-2012-88/PSO
/guzziye/test /amitkapps/pocs /protocol7/Artemisa
/leveluplunch/levelup-java-examples /nemrioff/NemerovCommonTest /juphich/toolab
/sci4me/NSAClicker /Albaniusz/java mkyong /nerotech1989/ServerMonitor
/jirrick/Superfarmar /Koziolek/kursynbp /TechnicPack/LauncherCore
/gongchangxing/Test /redmoo84/PPS ITSM /GMOD/Apollo
/zeng233/myproject /tefreestone/myBYU /panipsilos/seerc-email-service
/smeza/srv client /AuScope/C3DMM /escidoc/srw-repository
/tomtrath/homecan /Rembau/xmlTest /mkimberlin/sencha-touch-experiments
/wbssyy/DPminingFromCode /antouk/rstext /julieklein/ProteasixDatabase PMAP
/chandrasekharab/mongoexp /bulain/zk-demo /icplayer/icplayer
/Bert89/luca perilongo /faramde/Harar-Emmanuel /HemanandRajamani/RJUnit
/rodmidde/confluence-citation-plugin /unja66/PK300 /bharcode/TwitterScraper
/garbray/SOA /himadri77/SCRadioListener /geoserver/geoserver-history
/brandom-iava/iava-dp /minsler/by.minsler.xml /chuntakli2/DriverApp
/stestaub/entityLoadingBug /jlamandecap/saml-assertion-tools /benbenedek/j2ee-homework
/gaohoward/jbm-to-hornetq /angusws/tcx2nikeplus /YusukeNumata/Training
/RasThomas/MedArt /jost125/MI-W20-FLICKER /JoelJ/JCss
/BretonJulien/GamePlayerXML /net900621/owl-eye /web-builder/mdr
/Lewuathe/HD /Rakurai/dip /ArnaldoTrujillo/Comercial Suit
/sklay/njztsm /berk/banksystem example /gbhl/bhl-europe
/powerbush/mtk75m /rohitkochar/FlickrSync /tadayosi/larvae
/clem87/RSSAgregat /EstarG/JavaWeb /irina-andreevna-ivanova/ivanova p01

of our selected parsers by software developers, our inspection following attributes and their values in the source code of the
of the 1000 Java source files demonstrates that approximately selected Java classes.
75% (749 out of 1000) of these classes actually use the Std-
DOM parser, while the remaining 25 % do not. Assuming 25% Attribute Value
is an accurate estimate for the remaining parsers in Table I, “http://apache.org/xml/features/disallow- true
the total number of source classes that use our selected parsers doctype-decl”
should still number more than 400,000. Also, note that our “http://xml.org/sax/features/external- false
general-entities”
search results are based on only two repositories (GitHub and
“http://xml.org/sax/features/external- false
Google Code) among other repositories where these selected parameter-entities”
parsers could be used. This increases the number of their “JDK ENTITY EXPANSION LIMIT” a numeric value
adoptions. Therefore, we are certain that our selected parsers “FEATURE SECURE PROCESSING” true
are widely used by software developers.
Our assessment on whether a system that makes use of Std- Out of 749 selected Java source files (belonging to 628
DOM deals appropriately with BIL and XXE vulnerabilities is GitHub projects) that use Std-DOM to parse XML inputs, we
based on the application of known fixes, i.e., properly setting found only one file that properly sets one of the above prop-
the attributes of the parser (through the DocumentBuilder- erties to avoid being attacked through BIL and XXE vulnera-
Factory class) before using it to parse an XML input. For bilities. Among the remaining files, 735 classes (98,13%) are
example: clearly vulnerable. The other 14 classes cannot be confirmed to
be vulnerable with certainty since they use a DocumentBuilder
dbf = DocumentBuilderFactory.newInstance(); object created elsewhere in their corresponding projects and
dbf.setFeature("http://apache.org/xml/features/
disallow-doctype-decl", true);
security properties might be set from there. Nevertheless, these
results indicate that developers (at least the owners of the se-
In our assessment, we seek for the presence of any of the lected projects) have neglected to address these vulnerabilities.

239
 TABLE V
T ESTED APPLICATIONS THAT ARE VULNERABLE TO BIL AND XXE.

Application Description
websphere-portal-plugin A plugin for WebSphere Portal for deploying WAR, EAR, PORTLETS, EXPORT/IMPORT XM-
LACCESS. https://github.com/JuanyongZhang/websphere-portal-plugin
File-Archiver-Main An application to combine a number of files together into one archive file.
https://github.com/DymaKulia/FileArchiverMain
AppDF A Project to facilitate easy uploading of an android application along with its supporting files to
several appstores by creating a single archive AppDF file. https://github.com/onepf/AppDF
source2XMI Convert the Java source code to XMI file. https://github.com/wbssyy/source2XMI
jbm-to-hornetq A tool to facilitate migration from JBM12 to HornetQ13 messaging platform. HornetQ is an open
source asynchronous messaging project from JBoss. https://github.com/gaohoward/jbm-to-hornetq
fastcatsearch An open source distributed search engine. https://github.com/fastcatsearch-/fastcatsearch
bimoku Crawler A web crawler.
https://github.com/cncduLee/bbks-crawer/tree/master/crawler/bimoku/crawler
blog A Java blog engine. https://github.com/IgorInger/blog

In addition, speculating that there could be workarounds are required, they should refer to trusted sources only. Known
to deal with vulnerabilities, we downloaded eight random vulnerabilities of the parser and their fixes should be inves-
systems (Table V) and analysed their entire source code. We tigated and input sanitisation should be done before parsing
found that one of them had a vulnerable Java class which used XML content. Adequate security testing of the parser should
the parser but the class was not used elsewhere in the project also be performed.
(i.e., orphan code), and the others seven were vulnerable: there Recommendations for Parser Developers: Developers of
was no mitigation along the control flow from reading XML XML parsers need to be fully aware of all potential XML-
inputs until they are parsed. Therefore, we conclude it is based attacks and should be able to provide countermeasures
unlikely that developers made use of other methods to deal wherever possible. It was observed, during our experiment,
with BIL and XXE vulnerabilities. that some vulnerabilities can be exploited because of the
Regarding research question RQ2 we found that: features allowed in the default configurations of XML parsers.
Parser developers should provide Secure Default Configura-
It is highly likely that systems that use a BIL- or tions and provide alerts when any potentially insecure feature
XXE-vulnerable XML parser do not apply any proper is enabled via making changes to the default configurations.
mediating measure and are hence vulnerable. Parser developers should perform security testing of their
F. Discussion and Recommendations parsers. They should also provide better documentation in-
cluding the potential risks of enabling any feature. This would
Our extensive study has demonstrated that BIL and XXE
guide software developers in using their parser in a secure way.
attacks are in most cases neglected by the developers of XML
Threats to Validity: Regarding the validity related to
parsers and software systems that adopt them. Since these
whether or not experimental results can be considered gen-
attacks are well-known and applying them is straightforward
eralisable and representative, we have selected a large number
(it is easy to create XML test files and send them to a target
of parsers from various programming languages and domains,
system), leaving them unaddressed before deployment might
and considered in our study their latest versions. Furthermore,
have severe consequences. As demonstrated from our results,
we evaluated also their adoption on GitHub and Google Code,
a vulnerable XML parser can consume a huge amount of
the two most popular open source repositories, to make sure
memory and CPU time as the result of an attack. This typically
that the selected parsers are used in practice. As a result, we
renders the system running the XML parser unavailable for
are fairly confident that the vulnerabilities we detected both
legitimate users. Similarly, the confidentiality of information
in parsers and the systems using them suggest a worrying but
residing on the system running the vulnerable XML parser is
representative state of practice.
at risk. Exploiting XXE, an attacker can get access to such
Moreover, although we consider only one parser in the
information.
evaluation of 628 open source projects, it is the most popular
Recommendations for Software Developers: Because soft-
one; and given the clear results we obtained - only one of
ware systems that improperly use vulnerable parsers are also
the projects properly deals with BIL and XXE attacks, it is
vulnerable, we recommend that developers of such systems
unlikely that mitigation techniques are implemented in other
should pay special attention to preventing such attacks if they
projects adopting other vulnerable parsers.
decide to adopt a third-party XML parser, even if it is provided
by a high-profile vendor, such as Oracle or Microsoft. In IV. C ONCLUSION
order to block BIL and XXE attacks, software developers
should gain full understanding of the XML parser that they In this paper, we study the potential of two major types
are considering to adopt and avoid its insecure features (e.g., of XML-based attacks: XML Billion Laughs (BIL) and XML
using Schema instead of DTD). If external entity references External Entities (XXE) that may undermine today’s XML

240
parsers and systems making use of those parsers. We con- [7] E. Bertino, L. Martino, F. Paci, and A. Squicciarini. Security for Web
Services and Service Oriented Architectures. Springer, 2010.
ducted a systematic and large-scale experiment to test the [8] M. R. Brenner and M. R. Unmehopa. Service-oriented architecture
most popular XML parsers for these attacks by measuring and web services penetration in next-generation networks. Bell Labs
their impact on CPU time and memory consumption. Our Technical Journal, 12(2):147–159, 2007.
[9] R. Chang, G. Jiang, F. Ivancic, S. Sankaranarayanan, and V. Shmatikov.
main objective is to provide representative, unbiased results Inputs of coma: Static detection of denial-of-service vulnerabilities. In
of the extent of the problem in popular parsers and open Computer Security Foundations Symposium, 2009. CSF ’09. 22nd IEEE,
source systems. We designed our experiment to achieve these pages 186–199, July 2009.
[10] J. Chen, Q. Li, C. Mao, D. Towey, Y. Zhan, and H. Wang. A web services
objectives and reported the results in great detail. vulnerability testing approach based on combinatorial mutation and soap
We have studied 13 XML parsers that are widely used in message mutation. Service Oriented Computing and Applications, 8:1–
open source systems hosted on GitHub and Google Code. 13, 2014.
[11] W. Chunlei, L. Li, and L. Qiang. Automatic fuzz testing of web service
Each was tested against BIL and XXE test cases. Executing vulnerability. In Information and Communications Technologies (ICT
these tests on the vulnerable parsers took exceptionally high 2014), 2014 International Conference on, pages 1–6, May 2014.
amounts of CPU time and memory that could not have been [12] Y. Demchenko, L. Gommans, C. de Laat, and B. Oudenaarde. Web
services and grid security vulnerabilities and threats analysis and model.
efficiently carried out without our HPC platform [23]. The In The 6th IEEE/ACM International Workshop on Grid Computing.
obtained results show that most of the selected parsers are IEEE, 2005.
vulnerable to BIL and XXE exploits. Furthermore, we extended [13] A. Falkenberg, C. Mainka, J. Somorovsky, and J. Schwenk. A new
approach towards dos penetration testing on web services. In Web
our experiment to evaluate more than 700 classes from 628 Services (ICWS), 2013 IEEE 20th International Conference on, pages
open source systems that use a vulnerable XML parser and 491–498, June 2013.
found that all but one of them are vulnerable as well, thus [14] A. N. Gupta and D. P. S. Thilagam. Attacks on web services need to se-
cure xml on web. Computer Science and Engineering, An International
showing that parsers’ vulnerabilities are not properly addressed Journal (CSEIJ), 3(5), 2013.
by the systems using them. [15] M. Jensen, N. Gruschka, and R. Herkenhner. A survey of attacks on web
Such alarming results call for software developers to take services. Computer Science - Research and Development, 24(4):185–
197, 2009.
appropriate security measures before using these vulnerable [16] C. Mainka, J. Somorovsky, and J. Schwenk. Penetration testing tool
XML parsers in their software development projects. More- for web services security. In Services (SERVICES), 2012 IEEE Eighth
over, parser developers need to fix the problems and/or provide World Congress on, pages 163–170, June 2012.
[17] R. Oliveira, N. Laranjeiro, and M. Vieira. Wsfaggressor: An extensible
better documentation to help developers configure such parsers web service framework attacking tool. In Proceedings of the Industrial
to secure their usage. In future work, we will focus on testing Track of the 13th ACM/IFIP/USENIX International Middleware Confer-
XML parsers and open source systems for more XML-based ence, MIDDLEWARE ’12, pages 2:1–2:6. ACM, 2012.
[18] S. Orrin. The soa/xml threat model and new xml/so/web 2.0 attacks and
vulnerabilities, XML Injections or Signature for example. threats. In DEFCON 15, 2007.
ACKNOWLEDGEMENTS [19] S. Padmanabhuni, V. Singh, K. Senthil Kumar, and A. Chatterjee.
Preventing service oriented denial of service (presodos): A proposed
This work was supported by the National Research Fund, approach. In Web Services, 2006. ICWS ’06. International Conference
Luxembourg (FNR/P10/03 and FNR6024200). We thank the on, pages 577–584, Sept 2006.
[20] V. Patel, R. Mohandas, and A. R. Pais. Attacks on web services
testing and security team of our industry partner, CETREL, and mitigation schemes. In Security and Cryptography (SECRYPT),
for their collaboration in this project. Proceedings of the 2010 International Conference on, pages 1–6, July
2010.
R EFERENCES [21] S. Suriadi, A. Clark, and D. Schmidt. Validating denial of service
[1] Imperva Web Application Attack Report. http://www.imperva.com/docs/ vulnerabilities in web services. In Network and System Security (NSS),
HII Web Application Attack Report Ed4.pdf. Accessed: 2014-07-05. 2010 4th International Conference on, pages 175–182, Sept 2010.
[2] W3C XML Standard. http://www.w3.org/TR/REC-xml/. Accessed: [22] S. Tiwari and P. Singh. Survey of potential attacks on web services
2014-07-01. and web service compositions. In Electronics Computer Technology
[3] XML External Entity Injection. http://securityhorror.blogspot.com/2012/ (ICECT), 2011 3rd International Conference on, volume 2, pages 47–
03/what-is-xxe-attacks.html. Accessed: 2014-06-27. 51, April 2011.
[4] XML Terminology. http://en.wikipedia.org/wiki/XML/. Accessed: 2014- [23] S. Varrette, P. Bouvry, H. Cartiaux, and F. Georgatos. Management of an
02-20. academic hpc cluster: The ul experience. In Proc. of the 2014 Intl. Conf.
[5] XML Vulnerabilities Introduction. http://resources.infosecinstitute.com/ on High Performance Computing & Simulation (HPCS 2014), Bologna,
xml-vulnerabilities/. Accessed: 2014-06-22. Italy, July 2014. IEEE.
[6] N. Antunes and M. Vieira. Comparing the effectiveness of penetration [24] X. Ye. Countering ddos and xdos attacks against web services. In
testing and static code analysis on the detection of sql injection vul- Embedded and Ubiquitous Computing, 2008. EUC ’08. IEEE/IFIP
nerabilities in web services. In Dependable Computing, 2009. PRDC International Conference on, volume 1, pages 346–352, Dec 2008.
’09. 15th IEEE Pacific Rim International Symposium on, pages 301–306,
Nov 2009.

241