Home > CAPEC List > CAPEC-491: XML Quadratic Expansion (Version 3.0)  

CAPEC-491: XML Quadratic Expansion

Attack Pattern ID: 491
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An adversary exploits a few properties of XML(substitution entities and inline DTDs) to cause a denial of service situation due to excessive memory being allocated to fully expand the XML. The result of this denial of service could cause the application to freeze or crash.
+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.230XML Nested Payloads
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.228DTD Injection
+ Prerequisites
This type of attack requires a server that accepts XML data and parses the data.
+ Mitigations

Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.

Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources.

+ Example Instances

In this example the attacker defines one large entity and refers to it many times.

<?xml version="1.0"?> <!DOCTYPE bomb [<!ENTITY x "AAAAA
... [100K of them] ...
AAAA">]> <boom>
<bang>&x;&x;
... [100K of them]...
&x;&x;</bang>
</boom>

This results in a relatively small message of 100KBs that will expand to a message in the GB range.

+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018