Home > CAPEC List > CAPEC-201: XML Entity Blowup (Version 2.10)  

CAPEC-201: XML Entity Blowup

 
XML Entity Blowup
Definition in a New Window Definition in a New Window
Attack Pattern ID: 201
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker creates an XML document that with an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections. For example, the following DTD would attempt to open the /dev/tty device:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>
+ Attack Prerequisites
  • The target must follow external entity references without validating the validity of the reference target.

+ Typical Severity

Medium

+ Resources Required

The attacker must be able to trick the target into loading an XML document with crafted external entity reference.

+ Solutions and Mitigations

Configure the XML processor to only retrieve external entities from trusted sources.

+ References
[R.201.1] "XXE (Xml eXternal Entity) Attack". Beyond Security. <http://www.securiteam.com/securitynews/6D0100A5PU.html>.
[R.201.2] "CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection". <http://scary.beasts.org/security/CESA-2007-002.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017