Home > CAPEC List > CAPEC-201: XML Entity Linking (Version 3.0)  

CAPEC-201: XML Entity Linking

Attack Pattern ID: 201
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An attacker creates an XML document that contains an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections.
+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.231XML Oversized Payloads
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.278Web Services Protocol Manipulation
+ Execution Flow
Explore
  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests. Use an automated tool to record all instances of URLs to process XML requests. Use a browser to manually explore the website and analyze how the application processes XML requests.

    Techniques
    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.
Exploit
  1. Launch an XML Entity Linking attack: The attacker crafts malicious XML message that contains references to senstive files. Send the malicious crafted XML message containing the reference to a senstive file to the target URL.

    Techniques
    Send the malicious crafted XML message containing the reference to a senstive file to the target URL.
+ Prerequisites
The target must follow external entity references without validating the validity of the reference target.
+ Skills Required
[Level: Low]
To send XML messages with maliciously crafted DTDs.
+ Resources Required
None: No specialized resources are required to execute this type of attack.
+ Mitigations
Configure the XML processor to only retrieve external entities from trusted sources.
+ Example Instances

The following DTD would attempt to open the /dev/tty device:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>

A malicious actor could use this crafted DTD to reveal sensitive information.

+ References
[REF-73] "XXE (Xml eXternal Entity) Attack". Beyond Security. <http://www.securiteam.com/securitynews/6D0100A5PU.html>.
[REF-74] "CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection". <http://scary.beasts.org/security/CESA-2007-002.html>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Activation_Zone, Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description, Description Summary, Examples-Instances, Injection_Vector, Methods_of_Attack, Payload, Payload_Activation_Impact, Resources_Required, Typical_Likelihood_of_Exploit, Typical_Severity
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, Description Summary, Related_Attack_Patterns, Related_Weaknesses
Previous Entry Names
Change DatePrevious Entry Name
2018-07-31XML Entity Blowup

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018