Home > CAPEC List > CAPEC-229: XML Attribute Blowup (Version 3.2)  

CAPEC-229: XML Attribute Blowup

Attack Pattern ID: 229
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
This attack exploits certain XML parsers which manage data in an inefficient manner. The attacker crafts an XML document with many attributes in the same XML node. In a vulnerable parser, this results in a denial of service condition owhere CPU resources are exhausted because of the parsing algorithm.
+ Likelihood Of Attack


+ Typical Severity


+ Relationships

The table below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.231XML Oversized Payloads

The table below shows the views that this attack pattern belongs to and top level categories within that view.

+ Execution Flow
  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.

    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.
  1. Launch an XML Attribute Blowup attack: The attacker crafts malicious XML message that contains multiple Attributes in the same node.

    Send the malicious crafted XML message containing the multiple attributes to the target URL, causing a denail of service.
+ Prerequisites
The server accepts XML input and is using a parser with a runtime longer than O(n) for the insertion of a new attribute in the data container.(examples are .NET framework 1.0 and 1.1)
+ Mitigations
This attack may be mitigated completely by using a parser that is not using a vulnerable container. Mitigation may also limit the number of attributes per XML element.
+ Example Instances

In this example, assume that the victim is running a vulnerable parser such as .NET framework 1.0. This results in a quadratic runtime of O(n^2).

<?xml version="1.0"?> <foo aaa="" ZZZ="" ... 999="" />

A document with n attributes results in (n^2)/2 operations to be performed. If an operation takes 100 nanoseconds then a document with 100,000 operations would take 500s to process. In this fashion a small message of less than 1MB causes a denial of service condition on the CPU resources.

+ Content History
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Activation_Zone, Attack_Phases, Description, Description Summary, Examples-Instances, Injection_Vector, Methods_of_Attack, Payload, Related_Attack_Patterns, Typical_Likelihood_of_Exploit, Typical_Severity
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 30, 2019