CAPEC-201 - XML Entity Blowup

An attacker creates an XML document that with an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections. For example, the following DTD would attempt to open the /dev/tty device:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>

Severity

Likelihood

Confidentiality

Integrity

Availability

The target must follow external entity references without validating the validity of the reference target.

The attacker must be able to trick the target into loading an XML document with crafted external entity reference.

Configure the XML processor to only retrieve external entities from trusted sources.