Home > CAPEC List > CAPEC-484: XML Client-Side Attack (Version 2.11)  

CAPEC-484: XML Client-Side Attack

XML Client-Side Attack
Definition in a New Window Definition in a New Window
Attack Pattern ID: 484
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]

+ Attack Steps
  1. An attacker determines the input data stream that is being processed by an XML parser on the victim's side.

  1. An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the victim's system.

+ Attack Prerequisites
  • An application uses an XML parser to perform transformation on user-controllable data.

  • An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser.

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Injection
  • API Abuse
+ Examples-Instances


"A remote code execution vulnerability exists in the way that Microsoft Windows parses XML content. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted webpage that is used to exploit this vulnerability. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attackers' website." [R.484.2]

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Arbitrary code execution

+ Indicators-Warnings of Attack

The client software crashes after visiting a URL downloaded from a hostile server.

+ Solutions and Mitigations

Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser.

The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
DoS: resource consumption (memory)
Read memory
Execute unauthorized code or commands
Gain privileges / assume identity
+ Injection Vector

Client software that parses XML data included in HTML data.

+ Payload

User-controllable XML code

+ Activation Zone

The XML parser code.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: MediumIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
+ References
[R.484.1] [REF-43] Shlomo, Yona. "XML Parser Attacks: A summary of ways to attack an XML Parser". What is an XML Parser Attack?. 2007. <http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html>.
[R.484.2] [REF-44] "Microsoft Security Bulletin MS13-002". Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution. Version 1.1. Microsoft Security Response Center Archive. Microsoft. January 8, 2013. <http://technet.microsoft.com/en-us/security/bulletin/ms13-002>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017