Home > CAPEC List > CAPEC-201: XML Entity Blowup (Version 2.11)  

CAPEC-201: XML Entity Blowup

XML Entity Blowup
Definition in a New Window Definition in a New Window
Attack Pattern ID: 201
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker creates an XML document that with an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections.

+ Attack Steps
  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.

    Use an automated tool to record all instances of URLs to process XML requests.

    Use a browser to manually explore the website and analyze how the application processes XML requests.

  1. Launch an XML Entity Blowup attack: The attacker crafts malicious XML message that contains references to senstive files.

    Send the malicious crafted XML message containing the reference to a senstive file to the target URL.

+ Attack Prerequisites
  • The target must follow external entity references without validating the validity of the reference target.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • API Abuse
+ Examples-Instances


The following DTD would attempt to open the /dev/tty device:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>

A malicious actor could use this crafted DTD to reveal sensitive information.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To send XML messages with maliciously crafted DTDs.

+ Resources Required

None: No specialized resources are required to execute this type of attack.

+ Solutions and Mitigations

Configure the XML processor to only retrieve external entities from trusted sources.

+ Injection Vector

XML-capable system interfaces

+ Payload

Maliciously crafted XML entity

+ Activation Zone

XML inspection, parsing and validation routines

+ References
[R.201.1] "XXE (Xml eXternal Entity) Attack". Beyond Security. <http://www.securiteam.com/securitynews/6D0100A5PU.html>.
[R.201.2] "CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection". <http://scary.beasts.org/security/CESA-2007-002.html>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Activation_Zone, Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description, Description Summary, Examples-Instances, Injection_Vector, Methods_of_Attack, Payload, Payload_Activation_Impact, Resources_Required, Typical_Likelihood_of_Exploit, Typical_SeverityInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017