Skip to content

Latest commit

 

History

History
66 lines (57 loc) · 6.04 KB

attack-surface.md

File metadata and controls

66 lines (57 loc) · 6.04 KB

Attack Surface Analysis for fizzed/font-mfizz

Attack Surface: XML External Entity (XXE) Injection

  • Description: Attackers inject malicious XML entities to access local files, perform SSRF, or cause DoS.
  • font-mfizz Contribution: font-mfizz processes SVG files, which are XML-based. If the underlying XML parser doesn't disable external entity resolution, it's vulnerable. This is a direct vulnerability because font-mfizz's core functionality is SVG processing.
  • Example: An SVG containing <!DOCTYPE doc [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><svg>&xxe;</svg> attempts to read the /etc/passwd file.
  • Impact:
    • Local file disclosure (sensitive data exposure).
    • Server-Side Request Forgery (SSRF) – accessing internal services.
    • Denial of Service (DoS).
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Disable External Entities: Configure the XML parser used by font-mfizz (or the application integrating it) to completely disable DTD processing and external entity resolution. This is the primary defense. In Java, this often involves setting features on the DocumentBuilderFactory and XMLInputFactory. Example: 
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
    • Use a Secure XML Parser: Employ a well-maintained XML parser known for its security and resistance to XXE attacks.
    • Input Validation (Whitelist): Validate the SVG input against a strict whitelist of allowed elements and attributes before passing it to the XML parser.

Attack Surface: XML Bomb (Billion Laughs Attack)

  • Description: Attackers use nested entities to cause exponential expansion, consuming memory and leading to DoS.
  • font-mfizz Contribution: font-mfizz's SVG parsing is the direct entry point for this attack, as it's the component handling the XML-based SVG input.
  • Example: An SVG with deeply nested entities like: <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> ... <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]><svg>&lol9;</svg>
  • Impact: Denial of Service (DoS) due to resource exhaustion (memory).
  • Risk Severity: High
  • Mitigation Strategies:
    • Entity Expansion Limits: Configure the XML parser to limit the depth and number of entity expansions. Many parsers have built-in safeguards, but ensure they are enabled and appropriately configured.
    • Input Size Limits: Impose a reasonable maximum size limit on the input SVG file before it reaches font-mfizz.
    • Resource Monitoring: Monitor the application's memory and CPU usage to detect and respond to potential XML bomb attacks.

Attack Surface: Server-Side Request Forgery (SSRF) via External Resources

  • Description: Attackers use external resource references within the SVG (e.g., images, fonts) to make the server perform unintended requests.
  • font-mfizz Contribution: font-mfizz might process these external references during SVG parsing, making it directly involved if it doesn't properly restrict or validate these references.
  • Example: An SVG referencing an external image: <image xlink:href="http://internal.server/sensitive-data"/>.
  • Impact:
    • Access to internal network resources.
    • Port scanning of internal or external networks.
    • Potential data exfiltration.
  • Risk Severity: High
  • Mitigation Strategies:
    • Disable External Resource Loading: Configure the XML parser to disallow loading of external resources (images, fonts, etc.). This is the most secure option.
    • URL Whitelisting: If external resources must be allowed, implement a strict whitelist of permitted URLs or domains before passing the SVG to font-mfizz.
    • Network Segmentation: Isolate the server running font-mfizz to limit the impact of successful SSRF attacks.

Attack Surface: Dependency Vulnerabilities (High-Risk Dependencies)

  • Description: Vulnerabilities in libraries that font-mfizz depends on, specifically focusing on high-risk dependencies like XML parsers.
  • font-mfizz Contribution: font-mfizz directly relies on these dependencies. The most critical dependency is the XML parsing library.
  • Example: A vulnerability in the XML parsing library used by font-mfizz that allows for XXE or other XML-based attacks.
  • Impact: Varies depending on the specific vulnerability; could range from DoS to arbitrary code execution (especially if the XML parser is vulnerable).
  • Risk Severity: High (Potentially Critical, depending on the specific dependency and vulnerability)
  • Mitigation Strategies:
    • Dependency Scanning: Use tools like OWASP Dependency-Check, Snyk, or similar to specifically identify known vulnerabilities in font-mfizz's XML parsing library and other critical dependencies.
    • Regular Updates: Keep all dependencies, especially the XML parser, up-to-date with the latest security patches.
    • Dependency Minimization: If possible, reduce the number of dependencies, particularly those involved in parsing untrusted input.
    • Careful Dependency Selection: Choose well-vetted and actively maintained dependencies, especially for security-critical tasks like XML parsing.