http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
XML Denial of Service Attacks and Defenses
Bryan Sullivan
Denial of service (DoS) attacks are among the oldest types of attacks against Web sites. Documented DoS attacks exist at least as far back as 1992, which predates SQL injection (discovered in 1998), cross-site scripting (JavaScript wasn’t invented until 1995), and cross-site request forgery (CSRF attacks generally require session cookies, and cookies weren’t introduced until 1994).
From the beginning, DoS attacks were highly popular with the hacker community, and it’s easy to understand why. A single “script kiddie” attacker with a minimal amount of skill and resources could generate a flood of TCP SYN (for synchronize) requests sufficient to knock a site out of service. For the fledgling e-commerce world, this was devastating: if users couldn’t get to a site, they couldn’t very well spend money there either. DoS attacks were the virtual equivalent of erecting a razor-wire fence around a brick-and-mortar store, except that any store could be attacked at any time, day or night.
Over the years, SYN flood attacks have been largely mitigated by improvements in Web server software and network hardware. However, lately there has been a resurgence of interest in DoS attacks within the security community—not for “old school” network-level DoS, but instead for application-level DoS and particularly for XML parser DoS.
XML DoS attacks are extremely asymmetric: to deliver the attack payload, an attacker needs to spend only a fraction of the processing power or bandwidth that the victim needs to spend to handle the payload. Worse still, DoS vulnerabilities in code that processes XML are also extremely widespread. Even if you’re using thoroughly tested parsers like those found in the Microsoft .NET Framework System.Xml classes, your code can still be vulnerable unless you take explicit steps to protect it.
This article describes some of the new XML DoS attacks. It also shows ways for you to detect potential DoS vulnerabilities and how to mitigate them in your code.
https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)