Home > CAPEC List > CAPEC-484: XML Client-Side Attack (Version 3.0)  

CAPEC-484: XML Client-Side Attack

Attack Pattern ID: 484
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
+ Likelihood Of Attack


+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.82Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
+ Execution Flow
  1. An attacker determines the input data stream that is being processed by an XML parser on the victim's side.

  1. An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the victim's system.

+ Prerequisites
An application uses an XML parser to perform transformation on user-controllable data.
An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser.
+ Skills Required
[Level: High]
Arbitrary code execution
+ Indicators
The client software crashes after visiting a URL downloaded from a hostile server.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Resource Consumption
Read Data
Execute Unauthorized Commands
Access Control
Gain Privileges
+ Mitigations
Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser.
The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.
+ Example Instances
"A remote code execution vulnerability exists in the way that Microsoft Windows parses XML content. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.
In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted webpage that is used to exploit this vulnerability. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attackers' website." [R.484.2]
See also: CVE-2013-0006 , CVE-2013-0007
+ References
[REF-89] Shlomo, Yona. "XML Parser Attacks: A summary of ways to attack an XML Parser". What is an XML Parser Attack?. 2007. <http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html>.
[REF-418] "Microsoft Security Bulletin MS13-002". Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution. Version 1.1. Microsoft Security Response Center Archive. Microsoft. 2013-01-08. <https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-002>.
+ Content History
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated References

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018