Home > CAPEC List > CAPEC-229: XML Attribute Blowup (Version 2.11)  

CAPEC-229: XML Attribute Blowup

 
XML Attribute Blowup
Definition in a New Window Definition in a New Window
Attack Pattern ID: 229
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This attack exploits certain XML parsers which manage data in an inefficient manner. The attacker crafts an XML document with many attributes in the same XML node. In a vulnerable parser, this results in a denial of service condition owhere CPU resources are exhausted because of the parsing algorithm.

+ Attack Steps
Explore
  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.

    Use an automated tool to record all instances of URLs to process XML requests.

    Use a browser to manually explore the website and analyze how the application processes XML requests.

Exploit
  1. Launch an XML Attribute Blowup attack: The attacker crafts malicious XML message that contains multiple Attributes in the same node.

    Send the malicious crafted XML message containing the multiple attributes to the target URL, causing a denail of service.

+ Attack Prerequisites
  • The server accepts XML input and is using a parser with a runtime longer than O(n) for the insertion of a new attribute in the data container.(examples are .NET framework 1.0 and 1.1)

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • API Abuse
  • Flooding
+ Examples-Instances

Description

In this example, assume that the victim is running a vulnerable parser such as .NET framework 1.0. This results in a quadratic runtime of O(n^2).

<?xml version="1.0"?>
<foo
aaa=""
ZZZ=""
...
999=""
/>

A document with n attributes results in (n^2)/2 operations to be performed. If an operation takes 100 nanoseconds then a document with 100,000 operations would take 500s to process. In this fashion a small message of less than 1MB causes a denial of service condition on the CPU resources.

+ Solutions and Mitigations

This attack may be mitigated completely by using a parser that is not using a vulnerable container. Mitigation may also limit the number of attributes per XML element.

+ Injection Vector

XML-capable system interfaces

+ Payload

Maliciously crafted XML input

+ Activation Zone

XML inspection, parsing and validation routines

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Activation_Zone, Attack_Phases, Description, Description Summary, Examples-Instances, Injection_Vector, Methods_of_Attack, Payload, Related_Attack_Patterns, Typical_Likelihood_of_Exploit, Typical_SeverityInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017