Vladimir Garbuz
FILLING THE VOID:Application-level DoS
fear the XML: billion laughs
fear the XML: oversized XXE
fear the XML: soap arrays
fear the XML: too much to handle
fear the XML: large soap for DOM parsers
fear the XML: xslt processing
fear the XML: signatures - many, xslt
fear the XML: signatures – RetrievalMethod
fear the XML: signatures/encryption reference
fear the XML: nested encryption
processing oversized data
REDoS – catastrophic backtracking
complex operations – look-alike, globbing, etc
logic fuckups – multiple sorting, grouping, etc
unpacking: large low-entropy data
heavy functionality invokation