Preventing Denial of Service attack at the server side [SWS-873]

**[Dinesh Angolkar](https://jira.spring.io/secure/ViewProfile.jspa?name=dinni)** opened **[SWS-873](https://jira.spring.io/browse/SWS-873?redirect=false)** and commented

Hi,
The request i am trying to send through WebServiceTemplate at the client side is as follows:-

\<?xml version="1.0"?>
\<!DOCTYPE lolz [
\<!ENTITY lol "lol">
\<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
\<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
\<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
\<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
\<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
\<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
\<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
\<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">

]>
\<lolz>&lol9;\</lolz>

At the server side, i am extending "AxiomSoapMessageFactory" and overriding its "createXmlInputFactory()" method to create an instance of WstxInputFactory and injecting this in MessageDispatcherServlet. On the WstxInputFactory instance, i am setting "IS_REPLACING_ENTITY_REFERENCES" & "IS_SUPPORTING_EXTERNAL_ENTITIES" to "false".

However, when i am sending the above request the execution control goes to FrameworkServlet then DispatcherServlet but before even going to the MessageDispatcherServlet it fails throwing Java Heap Space Error.
It is trying to create a string Object using StringBuilder for the request xml, but the since the request xml has nested Entity references it throws Out Of Memory Exception.

Please see the attachment for the exception.

After debugging in detail i came to know that the Java Heap Space Error is first caught as InvocationTargetException in org.springframework.web.method.support.InvocableHandlerMethod.invoke().

Because of this the execution control is not going from the DispatcherServlet to the MessageDispatcherServlet.doService() method.

Please help me in resolving this Error.



---

**Affects:** 2.1.4

**Attachments:**
- [StackTrace.docx](https://jira.spring.io/secure/attachment/21942/StackTrace.docx) (_17.87 kB_)
- [StackTrace.txt](https://jira.spring.io/secure/attachment/21943/StackTrace.txt) (_6.62 kB_)

**Referenced from:** commits https://github.com/spring-projects/spring-ws/commit/09d614bbec38e2cbf3f2b9e279e189e9c2481c73


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Preventing Denial of Service attack at the server side [SWS-873] #948

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Preventing Denial of Service attack at the server side [SWS-873] #948

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions