Dark Mode

Settings

Capec-221 Detail

Data Serialization External Entities Blowup

Detailed Software Software

Parents: 231 278

Threats: T64 T72 T77 T280 T289 T293 T294 T386 T399

Description

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

Not present

External ID Source Link Description
CAPEC-221 capec https://capec.mitre.org/data/definitions/221.html
CWE-611 cwe http://cwe.mitre.org/data/definitions/611.html
43 WASC http://projects.webappsec.org/XML-External-Entities XML External Entities
Explore

  1. Find target web service: The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML.

Experiment

  1. Host malicious file on a server: The adversary will create a web server that contains a malicious file. This file will be extremely large, so that if a web service were to try to load it, the service would most likely hang.

  2. Craft malicious data: Using the serialization language that the web service takes as input, the adversary will craft data that links to the malicious file using an external entity reference to the URL of the file.

Exploit

  1. Send serialized data containing URI: The adversary will send specially crafted serialized data to the web service. When the web service loads the input, it will attempt to download the malicious file. Depending on the amount of memory the web service has, this could either crash the service or cause it to hang, resulting in a Denial of Service attack.

  1. A server that has an implementation that accepts entities containing URI values.

Not present

Not present

Integrity Availability Confidentiality
Execute Unauthorized Commands (Run Arbitrary Code) Resource Consumption Execute Unauthorized Commands (Run Arbitrary Code)
Execute Unauthorized Commands (Run Arbitrary Code)
  1. In this example, the XML parser parses the attacker's XML and opens the malicious URI where the attacker controls the server and writes a massive amount of data to the response stream. In this example the malicious URI is a large file transfer. < !DOCTYPE bomb []>&detonate;

We use cookies to ensure you get the best experience on our website.