New to CAPEC? Start Here
Home > CAPEC List > CAPEC-491: Quadratic Data Expansion (Version 3.9)  

CAPEC-491: Quadratic Data Expansion

Attack Pattern ID: 491
Abstraction: Detailed
View customized information:
+ Description
An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources.
+ Alternate Terms

Term: XML Entity Expansion (XEE)

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.230Serialized Data with Nested Payloads
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.228DTD Injection
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using substituion on the victim's side.

    Use an automated tool to record all instances of URLs to process requests.
    Use a browser to manually explore the website and analyze how the application processes requests.
  1. Craft malicious payload: The adversary crafts malicious message containing nested quadratic expansion that completely uses up available server resource.

  2. Send the message: Send the malicious crafted message to the target URL.

+ Prerequisites
This type of attack requires a server that accepts serialization data which supports substitution and parses the data.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Unreliable Execution
Resource Consumption
+ Mitigations
Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.
Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.
+ Example Instances

In this example the attacker defines one large entity and refers to it many times.

<?xml version="1.0"?>
<!DOCTYPE bomb [<!ENTITY x "AAAAA ... [100K of them] ... AAAA">]>
<b><c>&x;&x; ... [100K of them]... &x;&x;</c></b>

This results in a relatively small message of 100KBs that will expand to a message in the GB range.

+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.11)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, Related_Attack_Patterns
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Mitigations, Prerequisites
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances
Previous Entry Names
Change DatePrevious Entry Name
(Version 3.6)
XML Quadratic Expansion
More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 21, 2021