- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
XML attribute blowup is a denial-of-service (DoS) attack against XML parsers. The attacker provides a malicious XML document with many attributes in the same XML node. When vulnerable XML parsers process this document, a denial-of-service condition results which is caused by inefficient processing and severe CPU load.
The essence of the XML attribute blowup attack is to include many attributes in the same XML node. Vulnerable XML parsers manage the attributes in an inefficient manner (e.g., in a data container for which insertion of a new attribute has O(n) runtime), and this results in a nonlinear (in this example, quadratic, i.e. O(n2)) overall runtime. The vulnerable parser experiences a denial-of-service condition when CPU resources are exhausted because of the parsing algorithm.