is an implementation of the W3C XML Signature standard in Python.This standard (also known as XMLDSig and RFC 3275) is used to provide payload security in SAML 2.0 and WS-Security, among other uses.The attack isn't as efficient as the exponential case but it avoids triggering countermeasures of parsers against heavily nested entities.Some parsers limit the depth and breadth of a single entity but not the total amount of expanded text throughout an entire XML document.Under some circumstances it is even possible to access local files on your server, to circumvent a firewall, or to abuse services to rebound attacks to third parties.The attacks use and abuse less common features of XML and its parsers. Nevertheless some XML libraries and applications are still vulnerable and even heavy users of XML are surprised by these features. It's too short sighted to shift all blame on XML parsers and XML libraries for using insecure default settings.In Sign XML, you can ensure that the information signed is what you expect to be signed by only trusting the data returned by the , the default behavior is to trust any valid XML signature generated using a valid X.509 certificate trusted by your system’s CA store.
An attacker can also keep CPUs busy for a long time with a small to medium size request.
The majority of developers are unacquainted with features such as processing instructions and entity expansions that XML inherited from SGML. After all they properly implement XML specifications.
At best they know about from experience with HTML but they are not aware that a document type definition (DTD) can generate an HTTP request or load a file from the file system. Application developers must not rely that a library is always configured for security and potential harmful data by default.
Recommended reading: , the default behavior is to trust any valid XML signature generated using a valid X.509 certificate trusted by your system’s CA store.
The results of an attack on a vulnerable XML library can be fairly dramatic.