An attacker submits an XML document to a target application where the XML
document uses nested entity expansion to produce an excessively large output
XML. XML allows the definition of macro-like structures that can be used to
simplify the creation of complex structures. However, this capability can be
abused to create excessive demands on a processor's CPU and memory. A small
number of nested expansions can result in an exponential growth in demands
on memory. For example, consider:
<!DOCTYPE member [
<!ENTITY a
"&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY b
"&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
<!ENTITY c
"&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
...
Each entity increases the number entities by a factor of 10. If the above
progression were continued to 'z' and 'z' was a simple 10-byte string, the
total memory requirement of 'a' in the resulting document would be 10^26
bytes (one-hundred septillion bytes) - well beyond the capabilities of
modern computers. Depending on the robustness of the target machine, this
can lead to resource depletion, application crash, or even the execution of
arbitrary code through a buffer overflow.
This attack is also sometimes referred to as an XML Entity Explosion
attack.
Attack Prerequisites
The target must XML input but either fail to provide an upper limit for
entity expansion or provide a limit that is so large that it does not
preclude significant resource consumption.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
