Open Access Te Herenga Waka-Victoria University of Wellington
Caught in the Web -- esorics21.pdf (375.31 kB)

Caught in the Web: DoS Vulnerabilities in Parsers for Structured Data?

Download (375.31 kB)
conference contribution
posted on 2021-08-17, 23:41 authored by Shawn Rasheed, Jens DietrichJens Dietrich, Amjed Tahir
We study a class of denial-of-service (DoS) vulnerabilities that occur in parsing structured data. These vulnerabilities enable low bandwidth DoS attacks with input that causes algorithms to execute in disproportionately large time and / or space. We generalise the characteristics of these vulnerabilities, and frame them in terms of three aspects, TTT: (1) the Topology of composite data structures formed by the internal representation of parsed data, (2) the presence of recursive functions for the Traversal of the data structures and (3) the presence of a Trigger that enables an attacker to activate the traversal. An analysis based on this abstraction was implemented for one target platform (Java), and in our study, we found that the impact of the results obtained with this method goes beyond Java. The inputs from our investigation revealed several similar vulnerabilities in programs written in other languages such as Rust and PHP. As a result we have reported 11 issues (of which seven have been accepted as issues), and obtained four CVEs for some of those issues in PDF, SVG and YAML libraries across di erent languages.


Safeguarding Library Evolution | Funder: ORACLE CORPORATION


Preferred citation

Rasheed, S., Dietrich, J. & Tahir, A. (2021, October). Caught in the Web: DoS Vulnerabilities in Parsers for Structured Data?

Contribution type

Published Paper

Publication or Presentation Year


Publication status


Usage metrics

    Conference papers


    Ref. manager