CAPEC - CAPEC-82: Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) (Release 1.4)

Home > CAPEC List > CAPEC-82: Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-82: Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))

Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))

Attack Pattern ID: 82 (Standard Attack Pattern Completeness: Complete)

Typical Severity: Very High

Status: Draft

Description

Summary

XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets.

There are three primary attack vectors that XDoS can navigate

Target CPU through recursion: attacker creates a recursive payload and sends to service provider

Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects.

XML Ping of death: attack service provider with numerous small files that clog the system.

All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Attack Prerequisites

Attacker must be able to send a malicious XML payload to host, such as SOAP or REST web service.

Typical Likelihood of Exploit

Likelihood: High

Methods of Attack

Injection

Examples-Instances

Description

Several commercial XML parsers were found to be vulnerable to XDoS through XML recursion attacks. The code fragment below is self-referencing and can result in the parser exhausting all CPU and/or memory available to it.

<!DOCTYPE evildoc [

<!ENTITY x0 hello XDoS">

<!ENTITY xevilparam &x99;&x99;"> ]>

<foobar>&xevilparam;</foobar>

By the time the service provider validatesthe DTD elements it is too late, because the validation routines references itself. SOAP messages are no longer allowed to accept DTDs, however there is nothing to stop developers of other applications or custom SOAP implementations from bypassing this concern.

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Crafting malicious XML content and injecting it through standard interfaces

Solutions and Mitigations

Design: Utilize a Security Pipeline Interface (SPI) to mediate communications between service requester and service provider The SPI should be designed to throttle up and down and handle a variety of payloads.

Design: Utilize clustered and fail over techniques, leverage network transports to provide availability such as HTTP load balancers

Implementation: Check size of XML message before parsing

Attack Motivation-Consequences

Denial of Service

Injection Vector

XML-capable system interfaces

Payload

Maliciously crafted XML

Activation Zone

XML inspection, parsing and validation routines

Payload Activation Impact

Denial of Service

Related Attack Patterns

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	119	Resource Depletion	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	99	XML Parser Attack	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	147	XML Ping of Death	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	197	XEE (XML Entity Expansion)	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	229	XML Attribute Blowup	Mechanism of Attack (primary)1000

Purposes

Exploitation

CIA Impact

Confidentiality Impact: Low

Integrity Impact: Medium

Availability Impact: High

Technical Context

Architectural Paradigms	Client-Server SOA
Frameworks	All
Platforms	All
Languages	All

Content History

Submissions
Submitter	Date	Comments
Gunnar Peterson	2007-02-28

Modifications
Modifier	Organization	Date	Comments
Sean Barnum	Cigital, Inc	2007-03-07	Review and revise
Richard Struse	VOXEM, Inc	2007-03-26	Review and feedback leading to changes in Name
Sean Barnum	Cigital, Inc	2007-04-16	Modified pattern content according to review and feedback

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us