AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 12:25 - 13:10
Compression Bombs Strike Back

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.

While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked. 

In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

avatar for Giancarlo Pellegrino

Giancarlo Pellegrino

Researcher, Saarland University
Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis... Read More →

Thursday June 30, 2016 12:25 - 13:10 CEST
Room C (Tiziano Ballroom Sec. 2)