1

I'm trying to reproduce several xxe attacks against a java web service.

When i try to reproduce "Billion Laughs" i always get this:

Exception in thread "main" org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; The parser has encountered more than "64,000" entity expansions in this document; this is the limit imposed by the application.

I've tried:

oracle jdk1.7.0, oracle jdk1.7.0_51, oracle jdk1.7.0_55,

All of them are throwing the same exception, and according to this, versions _51 and _55 shouldn't

Am i missing something ?

Edit:

Works when i use "-DentityExpansionLimit=0", of course. But i need an "unpatched" jdk.

justatester
  • 131
  • 4
  • I'm unclear on the question. Billion laughs is useful for, well, laughs, but if you are trying to pull off an actual attack, you'd want to try something else. – h4ckNinja Oct 13 '16 at 02:46
  • yes you're right. but i'm trying to create a PoC/demonstration. i need to show each possible attack(quadratic blowup, billion laughs( aka xml bomb) , etc). – justatester Oct 13 '16 at 03:16
  • ahhh. Okay. You're trying to create a lab environment to demonstrate each particular issue. In that case, unfortunately I can't speak the specific environment issues you are experiencing. Good luck though. – h4ckNinja Oct 13 '16 at 04:45
  • 2
    There's nothing on the page you point to that says the billion laughs attack should work on earlier releases of JDK 1.7. The page is about a much more specific problem about exactly how the entity expansion limit is counted. The limit has been there (to protect against this attack) for many years, and it will be difficult to find a JDK old enough to contain this vulnerability. – Michael Kay Oct 13 '16 at 08:29
  • Yes, the restriction has been there since SE5 http://docs.oracle.com/javase/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html. So it would be a matter of trying SE4.0 but that would be stupid. I obviously misunderstood the bug fix. I thought it was a restriction that was added in 7u45, and then removed again in 7u55. Thx – justatester Oct 13 '16 at 19:02

0 Answers0