Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-873

Preventing Denial of Service attack at the server side

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.1.4
    • Fix Version/s: 2.2.RC1
    • Component/s: XML
    • Labels:
      None
    • Environment:
      Windows 7, JDK1.7.51, Tomcat 7.0.32

      Description

      Hi,
      The request i am trying to send through WebServiceTemplate at the client side is as follows:-

      <?xml version="1.0"?>
      <!DOCTYPE lolz [
      <!ENTITY lol "lol">
      <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
      <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
      <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
      <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
      <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
      <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
      <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
      <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
      ]>
      <lolz>&lol9;</lolz>

      At the server side, i am extending "AxiomSoapMessageFactory" and overriding its "createXmlInputFactory()" method to create an instance of WstxInputFactory and injecting this in MessageDispatcherServlet. On the WstxInputFactory instance, i am setting "IS_REPLACING_ENTITY_REFERENCES" & "IS_SUPPORTING_EXTERNAL_ENTITIES" to "false".

      However, when i am sending the above request the execution control goes to FrameworkServlet then DispatcherServlet but before even going to the MessageDispatcherServlet it fails throwing Java Heap Space Error.
      It is trying to create a string Object using StringBuilder for the request xml, but the since the request xml has nested Entity references it throws Out Of Memory Exception.

      Please see the attachment for the exception.

      After debugging in detail i came to know that the Java Heap Space Error is first caught as InvocationTargetException in org.springframework.web.method.support.InvocableHandlerMethod.invoke().

      Because of this the execution control is not going from the DispatcherServlet to the MessageDispatcherServlet.doService() method.

      Please help me in resolving this Error.

      1. StackTrace.docx
        18 kB
        Dinesh Angolkar
      2. StackTrace.txt
        7 kB
        Dinesh Angolkar

        Activity

        Dinni Dinesh Angolkar created issue -
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        I do not have access to Microsoft word. Could you attach the stracktrace in another format? Or better yet: past it in a comment in noformat tags?

        Show
        arjen.poutsma Arjen Poutsma added a comment - I do not have access to Microsoft word. Could you attach the stracktrace in another format? Or better yet: past it in a comment in noformat tags?
        Hide
        Dinni Dinesh Angolkar added a comment - - edited

        org.springframework.web.util.NestedServletException: Handler processing failed; nested exception is java.lang.OutOfMemoryError: Java heap space
        	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:972)
        	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)
        	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
        	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789)
        	at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
        	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at com.cannontech.servlet.filter.GeneralSecurityFilter.doFilter(GeneralSecurityFilter.java:27)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at com.cannontech.servlet.filter.FacesFilter.doFilter(FacesFilter.java:38)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at com.cannontech.servlet.filter.TimerFilter.doFilter(TimerFilter.java:36)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at com.cannontech.web.util.ErrorHelperFilter.doFilter(ErrorHelperFilter.java:139)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
        	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at com.cannontech.web.login.LoginFilter.doFilter(LoginFilter.java:145)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
        	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
        	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
        	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
        	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
        	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        	at java.lang.Thread.run(Thread.java:744)
        Caused by: java.lang.OutOfMemoryError: Java heap space
        	at java.util.Arrays.copyOf(Arrays.java:2367)
        	at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:130)
        	at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:114)
        	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:535)
        	at java.lang.StringBuilder.append(StringBuilder.java:204)
        	at com.sun.org.apache.xalan.internal.xsltc.trax.SAX2DOM.characters(SAX2DOM.java:117)
        	at com.sun.org.apache.xml.internal.serializer.ToXMLSAXHandler.characters(ToXMLSAXHandler.java:546)
        	at org.apache.xerces.parsers.AbstractSAXParser.characters(Unknown Source)
        	at org.apache.xerces.impl.dtd.XMLDTDValidator.characters(Unknown Source)
        	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanContent(Unknown Source)
        	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
        	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
        	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
        	at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
        	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transformIdentity(TransformerImpl.java:650)
        	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:746)
        	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:359)
        	at org.springframework.ws.client.core.WebServiceTemplate$5.doWithMessage(WebServiceTemplate.java:496)
        	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:573)
        	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:539)
        	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:494)
        	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:438)
        	at com.cannontech.web.support.development.EimTestController.sendSoapRequest(EimTestController.java:162)
        	at com.cannontech.web.support.development.EimTestController.executeRequest(EimTestController.java:127)
        	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        	at java.lang.reflect.Method.invoke(Method.java:606)
        	at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:219)
        	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
        04/11/2014 15:31:51,533 IST [http-bio-8080-exec-5] ERROR 

        Show
        Dinni Dinesh Angolkar added a comment - - edited org.springframework.web.util.NestedServletException: Handler processing failed; nested exception is java.lang.OutOfMemoryError: Java heap space at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:972) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.cannontech.servlet.filter.GeneralSecurityFilter.doFilter(GeneralSecurityFilter.java:27) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.cannontech.servlet.filter.FacesFilter.doFilter(FacesFilter.java:38) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.cannontech.servlet.filter.TimerFilter.doFilter(TimerFilter.java:36) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.cannontech.web.util.ErrorHelperFilter.doFilter(ErrorHelperFilter.java:139) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.cannontech.web.login.LoginFilter.doFilter(LoginFilter.java:145) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: java.lang.OutOfMemoryError: Java heap space at java.util.Arrays.copyOf(Arrays.java:2367) at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:130) at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:114) at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:535) at java.lang.StringBuilder.append(StringBuilder.java:204) at com.sun.org.apache.xalan.internal.xsltc.trax.SAX2DOM.characters(SAX2DOM.java:117) at com.sun.org.apache.xml.internal.serializer.ToXMLSAXHandler.characters(ToXMLSAXHandler.java:546) at org.apache.xerces.parsers.AbstractSAXParser.characters(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.characters(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanContent(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transformIdentity(TransformerImpl.java:650) at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:746) at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:359) at org.springframework.ws.client.core.WebServiceTemplate$5.doWithMessage(WebServiceTemplate.java:496) at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:573) at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:539) at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:494) at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:438) at com.cannontech.web.support.development.EimTestController.sendSoapRequest(EimTestController.java:162) at com.cannontech.web.support.development.EimTestController.executeRequest(EimTestController.java:127) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:219) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132) 04/11/2014 15:31:51,533 IST [http-bio-8080-exec-5] ERROR
        Dinni Dinesh Angolkar made changes -
        Field Original Value New Value
        Attachment StackTrace.txt [ 21943 ]
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        I don't think there is anything we can do about the particular issue you're running into.That said, disabling the "IS_REPLACING_ENTITY_REFERENCES" & "IS_SUPPORTING_EXTERNAL_ENTITIES" properties is a good idea by default. I've changed the AxiomSoapMessageFactory accordingly.

        Show
        arjen.poutsma Arjen Poutsma added a comment - I don't think there is anything we can do about the particular issue you're running into.That said, disabling the "IS_REPLACING_ENTITY_REFERENCES" & "IS_SUPPORTING_EXTERNAL_ENTITIES" properties is a good idea by default. I've changed the AxiomSoapMessageFactory accordingly.
        arjen.poutsma Arjen Poutsma made changes -
        Resolution Fixed [ 1 ]
        Fix Version/s 2.2 [ 12850 ]
        Assignee Arjen Poutsma [ arjen.poutsma ]
        Status Open [ 1 ] Resolved [ 5 ]
        Hide
        Dinni Dinesh Angolkar added a comment -

        Is it possible to have a feature like "prohibitDtd" in the DispatcherServlet itself so that such malicious requests based on the Business needs can be handled appropriately without causing runtime errors.
        We can find this feature in Microsoft .Net framework

        Show
        Dinni Dinesh Angolkar added a comment - Is it possible to have a feature like "prohibitDtd" in the DispatcherServlet itself so that such malicious requests based on the Business needs can be handled appropriately without causing runtime errors. We can find this feature in Microsoft .Net framework
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        1h 9m 1 Arjen Poutsma 15/Apr/14 6:41 AM

          People

          • Assignee:
            arjen.poutsma Arjen Poutsma
            Reporter:
            Dinni Dinesh Angolkar
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: