Home > CAPEC List > CAPEC-228: DTD Injection (Version 2.10)  

CAPEC-228: DTD Injection

DTD Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 228
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.

+ Attack Prerequisites
  • The target must be running an XML based application that leverages DTDs.

+ Typical Severity


+ Solutions and Mitigations

Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.

Implementation: Disallow the inclusion of DTDs as part of incoming messages.

+ References
[R.228.1] Ryan Naraine. "DoS Flaw in SOAP DTD Parameter". InternetNews.com. ITBusiness Edge, Quinstreet Inc.. December 15, 2003. <http://www.internetnews.com/dev-news/article.php/3289191>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017