Home > CAPEC List > CAPEC-491: XML Quadratic Expansion (Version 2.9)  

CAPEC-491: XML Quadratic Expansion

 
XML Quadratic Expansion
Definition in a New Window Definition in a New Window
Attack Pattern ID: 491
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary exploits a few properties of XML(substitution entities and inline DTDs) to cause a denial of service situation due to excessive memory being allocated to fully expand the XML. The result of this denial of service could cause the application to freeze or crash.

+ Attack Prerequisites
  • This type of attack requires a server that accepts XML data and parses the data.

+ Examples-Instances

Description

In this example the attacker defines one large entity and refers to it many times.

<?xml version="1.0"?>
<!DOCTYPE bomb [<!ENTITY x "AAAAA
... [100K of them] ...
AAAA">]>
<boom>
<bang>&x;&x;
... [100K of them]...
&x;&x;</bang>
</boom>

This results in a relatively small message of 100KBs that will expand to a message in the GB range.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.

Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015