Home > CAPEC List > CAPEC-197: XML Entity Expansion (Version 2.9)  

CAPEC-197: XML Entity Expansion

 
XML Entity Expansion
Definition in a New Window Definition in a New Window
Attack Pattern ID: 197
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.

+ Attack Execution Flow
Explore
  1. Survey the target:

    Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use an automated tool to record all instances of URLs to process XML requests.

    env-Web env-ClientServer
    2

    Use a browser to manually explore the website and analyze how the application processes XML requests.

    env-Web env-ClientServer

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The URL processes XML content.

    env-Web env-ClientServer
    2Inconclusive

    The application does not seem to accept XML content.

    env-Web env-ClientServer

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Exploit
  1. Launch an XML Entity Expansion attack:

    The attacker crafts malicious XML message to force recursive entity expansion (or other repeated processing) that completely uses up available server resource.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Send the malicious crafted XML message containing recursive entity uses to the target URL.

    env-Web env-ClientServer

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker causes the target application denial of service.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Disable altogether the use of inline DTD schemas in your XML parsing objects.
+ Attack Prerequisites
  • This type of attack requires that the target must receive XML input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption.

+ Typical Severity

Medium

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Flooding
+ Examples-Instances

Description

The most common example of this type of attack is the "many laughs" attack (sometimes called the 'billion laughs' attack). For example:

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

This is well formed and valid XML according to the DTD. Each entity increases the number entities by a factor of 10. The line of XML containing lol9; expands out exponentially to a message with 10^9 entities. A small message of a few KBs in size can easily be expanded into a few GB of memory in the parser. By including 3 more entities similar to the lol9 entity in the above code to the DTD, the program could expand out over a TB as there will now be 10^12 entities. Depending on the robustness of the target machine, this can lead to resource depletion, application crash, or even the execution of arbitrary code through a buffer overflow.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To send recursive entity expansion XML messages.

+ Resources Required

No special resource required.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.

Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
DoS: amplification
DoS: resource consumption (CPU)
DoS: resource consumption (memory)
DoS: resource consumption (other)
Denial of Service
+ Injection Vector

XML-capable system interfaces

+ Payload

Maliciously crafted entity expansion XML message

+ Activation Zone

XML inspection, parsing and validation routines

+ Payload Activation Impact

Denial of Service

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: LowIntegrity Impact: LowAvailability Impact: High
+ Technical Context
Architectural Paradigms
SOA
Frameworks
All
Platforms
All
+ References
[R.197.1] Amit Klein. "Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD". <http://www.securityfocus.com/archive/1/303509>.
[R.197.2] [REF-14] Andre Yee. "Threat Protection in a Service Oriented World". NFR Security. <http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf>.
[R.197.3] [REF-15] Pete Lindstrom. "Attacking & Defending Web Services". SPiRE Security. 2002. <http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf>.
[R.197.4] [REF-16] Elliotte Rusty Harold. "Tip: Configure SAX parsers for secure processing". IBM developerWorks. IBM. May 27, 2005. <http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html>.
Bryan Sullivan. "XML Denial of Service Attacks and Defenses". <http://msdn.microsoft.com/en-us/magazine/ee335713.aspx>.
[R.197.5] [REF-17] Bryan Sullivan. "XML Denial of Service Attacks and Defenses". November 2009 Issue. MSDN Magazine. Microsoft. 2009. <http://msdn.microsoft.com/en-us/magazine/ee335713.aspx>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015