Home > CAPEC List > CAPEC-229: XML Attribute Blowup (Version 3.0)  

CAPEC-229: XML Attribute Blowup

Attack Pattern ID: 229
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
This attack exploits certain XML parsers which manage data in an inefficient manner. The attacker crafts an XML document with many attributes in the same XML node. In a vulnerable parser, this results in a denial of service condition owhere CPU resources are exhausted because of the parsing algorithm.
+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.231XML Oversized Payloads
+ Execution Flow
Explore
  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests. Use an automated tool to record all instances of URLs to process XML requests. Use a browser to manually explore the website and analyze how the application processes XML requests.

    Techniques
    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.
Exploit
  1. Launch an XML Attribute Blowup attack: The attacker crafts malicious XML message that contains multiple Attributes in the same node. Send the malicious crafted XML message containing the multiple attributes to the target URL, causing a denail of service.

    Techniques
    Send the malicious crafted XML message containing the multiple attributes to the target URL, causing a denail of service.
+ Prerequisites
The server accepts XML input and is using a parser with a runtime longer than O(n) for the insertion of a new attribute in the data container.(examples are .NET framework 1.0 and 1.1)
+ Mitigations
This attack may be mitigated completely by using a parser that is not using a vulnerable container. Mitigation may also limit the number of attributes per XML element.
+ Example Instances

In this example, assume that the victim is running a vulnerable parser such as .NET framework 1.0. This results in a quadratic runtime of O(n^2).

<?xml version="1.0"?> <foo aaa="" ZZZ="" ... 999="" />

A document with n attributes results in (n^2)/2 operations to be performed. If an operation takes 100 nanoseconds then a document with 100,000 operations would take 500s to process. In this fashion a small message of less than 1MB causes a denial of service condition on the CPU resources.

+ Memberships
This MemberOf Relationships table shows additional CAPEC Categories and Views that reference this attack pattern as a member. This information is often useful in understanding where a attack pattern fits within the context of external information sources.
NatureTypeIDName
MemberOfCategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.374WASC-41 - XML Attribute Blowup
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Activation_Zone, Attack_Phases, Description, Description Summary, Examples-Instances, Injection_Vector, Methods_of_Attack, Payload, Related_Attack_Patterns, Typical_Likelihood_of_Exploit, Typical_Severity

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018