Home > CAPEC List > CAPEC-491: XML Quadratic Expansion (Version 2.11)  

CAPEC-491: XML Quadratic Expansion

XML Quadratic Expansion
Definition in a New Window Definition in a New Window
Attack Pattern ID: 491
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary exploits a few properties of XML(substitution entities and inline DTDs) to cause a denial of service situation due to excessive memory being allocated to fully expand the XML. The result of this denial of service could cause the application to freeze or crash.

+ Attack Prerequisites
  • This type of attack requires a server that accepts XML data and parses the data.

+ Examples-Instances


In this example the attacker defines one large entity and refers to it many times.

<?xml version="1.0"?>
... [100K of them] ...
... [100K of them]...

This results in a relatively small message of 100KBs that will expand to a message in the GB range.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.

Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Related_Attack_PatternsInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017