CAPEC-197 - XML Entity Expansion

An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Flooding
  • Purposes 1
  • Exploitation
  • Scopes 1
  • DoS: resource consumption (other)
  • DoS: resource consumption (memory)
  • DoS: resource consumption (CPU)
  • DoS: amplification
  • Availability

Low level: To send recursive entity expansion XML messages.

This type of attack requires that the target must receive XML input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption.

No special resource required.

Step 1 - Survey the target

Using a browser or an automated tool, an attacker records all instances of web services to process XML requests..

Tecnique ID: 1 - Environment(s) env-Web env-ClientServer

Use an automated tool to record all instances of URLs to process XML requests.

Tecnique ID: 2 - Environment(s) env-Web env-ClientServer

Use a browser to manually explore the website and analyze how the application processes XML requests.

Indicator ID: 1 - Environment(s) env-Web env-ClientServer

Type: Positive

The URL processes XML content.

Indicator ID: 2 - Environment(s) env-Web env-ClientServer

Type: Inconclusive

The application does not seem to accept XML content.


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).



Step 1 - Launch an XML Entity Expansion attack

The attacker crafts malicious XML message to force recursive entity expansion (or other repeated processing) that completely uses up available server resource..

Tecnique ID: 1 - Environment(s) env-Web env-ClientServer

Send the malicious crafted XML message containing recursive entity uses to the target URL.

Security Control ID: 1

Type: Preventative

Disable altogether the use of inline DTD schemas in your XML parsing objects.


Outcome ID: 1

Type: Success

The attacker causes the target application denial of service.



Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.

Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources.