 Good evening. Welcome to DevCon to season. My name is Elan Mironic and I work for Synopsys where I manage R&D and the Seeker agents. Now, before I get started, I'm sure a lot of you have seen the title and have a very simple question in mind. So let me preemptively answer it. Yes, I do speak English. The title is a reference to zero wing if you know it. Great. If you don't know it, you haven't missed anything. It's just my bad sense of humor. So references aside, let's talk about bombs. Specifically, I want to discuss XML bombs. These are a vulnerability where an attacker can send a very small XML and use or abuse XML entities and cause this small payload to create a huge artifact in memory, essentially denying service and using up all the memory for the application to serve legitimate requests. This all sounds very serious and maybe DevCon isn't supposed to be this serious. It's supposed to be fun. So let's have a laugh. In fact, let's have a billion laughs. This small XML defines an entity, lol9, which in turn references a series of lol8 references and every lol8 reference, every lol8 entity references a series of lol7 entities and so on and so forth. Now, if we try to think how bad this can be, how this looks like a really small XML, how big of a memory footprint does it really have. I did what any good nerd would do. I graphed it out and I'm trying to see how much memory the input string would be dependent on the number of lol levels and how much memory it will take up once expanded. And as you can see this grows really quickly. My benchmark went up to seven levels, at which point the input string is about 650 bytes, which is a non-issue, but it explodes to almost 30 megs in memory. And it continues exploding like this by a factor of 10 roughly. With eight levels, this would take almost 300 megabytes of memory, which I couldn't graph here because, frankly, my benchmark just crashed. But with the full 10, you'll get about three jiggers, which is ridiculous. Now, what does this mean for us? I'm not sure XML is kind of old and boring and your cool new project doesn't even use XMLs. But the bad news is that you'd have the same vulnerability in any format that allows defining entities. Are you sure you aren't using YAML? And if you are, are you sure you're protecting yourselves? What can we do to protect ourselves? First of all, if possible, don't let users upload data in such formats, not XMLs, not YAMLs, not anything you can avoid. I know we should trust our users, but there are bad people out there. So now upload, no vulnerability. If you have a possibility to do such an upload, get to know your parser. Don't assume it's secured by default. Retake documentation and check. Most parsers can either have these features turned off or limited or something. Get to know your parser and use the right configuration. For most ecosystems, we have sanitizers, but my time is running out. So with us, I just want to thank you for listening and wish you a great conference.