29244 – XML Validator vulnerable to XML bomb attacks

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 29244 - XML Validator vulnerable to XML bomb attacks

Summary: XML Validator vulnerable to XML bomb attacks

Status:	NEW

Alias:	None

Product:	Validator
Classification:	Unclassified
Component:	Parser (show other bugs)
Version:	HEAD
Hardware:	All All

Importance:	P2 trivial
Target Milestone:	---
Assignee:	M Travis
QA Contact:	qa-dev tracking

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-10-26 20:12 UTC by comfreek
Modified:	2017-04-16 09:13 UTC (History)
CC List:	2 users (show)

See Also:

Attachments

Description comfreek 2015-10-26 20:12:49 UTC

1. Open https://validator.w3.org/#validate_by_input
2. Paste the source code for the billion laughs attack: https://en.wikipedia.org/wiki/Billion_laughs
3. Server responds with "500 Internal Server Error"

Comment 1 M Travis 2017-04-16 00:42:19 UTC

Here is a similar attack https://www.everipedia.com/Zip_bomb/

Format For Printing
- XML
- Clone This Bug
- Top of page