Application Security Terminology

Glossary

XML Attribute Blowup

XML attribute blowup is a denial-of-service (DoS) attack against XML parsers. The attacker provides a malicious XML document with many attributes in the same XML node. When vulnerable XML parsers process this document, a denial-of-service condition results which is caused xml attribute blowupby inefficient processing and severe CPU load. 

The essence of the XML attribute blowup attack is to include many attributes in the same XML node. Vulnerable XML parsers manage the attributes in an inefficient manner (e.g., in a data container for which insertion of a new attribute has O(n) runtime), and this results in a nonlinear (in this example, quadratic, i.e. O(n2)) overall runtime. The vulnerable parser experiences a denial-of-service condition when CPU resources are exhausted because of the parsing algorithm.