CAPEC-197

Exponential Data Expansion
Alta
Média
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerta para um CAPEC
Fique informado sobre quaisquer alterações para um CAPEC específico.
Gerenciar notificações

Descrições CAPEC

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.

Informações CAPEC

Fluxo de Execução

1) Explore

[Survey the target] An adversary determines the input data stream that is being processed by a data parser that supports using subsitituion on the victim's side.

Técnica
  • Use an automated tool to record all instances of URLs to process requests.
  • Use a browser to manually explore the website and analyze how the application processes requests.
2) Experiment

[Craft malicious payload] The adversary crafts a malicious message containing nested exponential expansion that completely uses up available server resources. See the "Example Instances" section for details on how to craft this malicious payload.

3) Exploit

[Send the message] Send the malicious crafted message to the target URL.

Pré-requisitos

This type of attack requires that the target must receive input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption.

Habilidades Necessárias

Ability to craft nested data expansion messages.

Recursos Necessários

None: No specialized resources are required to execute this type of attack.

Mitigações

Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.
Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.

Fraquezas Relacionadas

CWE-ID Nome da Fraqueza

CWE-770

 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

CWE-776

 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Referências

REF-64

Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
Amit Klein.
http://www.securityfocus.com/archive/1/303509

REF-65

Attacking & Defending Web Services
Pete Lindstrom.
http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf

REF-66

Tip: Configure SAX parsers for secure processing
Elliotte Rusty Harold.
http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html

REF-67

XML Denial of Service Attacks and Defenses
Bryan Sullivan.
http://msdn.microsoft.com/en-us/magazine/ee335713.aspx

REF-67

XML Denial of Service Attacks and Defenses
Bryan Sullivan.
http://msdn.microsoft.com/en-us/magazine/ee335713.aspx

Submissão

Nome Organização Data Data de lançamento
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modificações

Nome Organização Data Comentário
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated References
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Mitigations
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Related_Attack_Patterns, Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2021-10-21 +00:00 Updated @Name, Alternate_Terms, Description, Example_Instances, Execution_Flow, Mitigations, Prerequisites, Related_Weaknesses, Skills_Required
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Execution_Flow
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.