This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

How does a Data Serialization External Entities Blowup attack work?

It typically unfolds over 4 phases. It begins with: [Find target web service] The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML.

How do you prevent CAPEC-221?

This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.

What weaknesses does CAPEC-221 target?

CAPEC-221 exploits 1 CWE weakness, including CWE-611 (Improper Restriction of XML External Entity Reference).

CAPEC-221: Data Serialization External Entities Blowup

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Find target web service] The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML.
Step 2
Experiment
[Host malicious file on a server] The adversary will create a web server that contains a malicious file. This file will be extremely large, so that if a web service were to try to load it, the service would most likely hang.
Step 2
Experiment
[Craft malicious data] Using the serialization language that the web service takes as input, the adversary will craft data that links to the malicious file using an external entity reference to the URL of the file.
Step 4
Exploit
[Send serialized data containing URI] The adversary will send specially crafted serialized data to the web service. When the web service loads the input, it will attempt to download the malicious file. Depending on the amount of memory the web service has, this could either crash the service or cause it to hang, resulting in a Denial of Service attack.

How the attack works

CAPEC-221: Data Serialization External Entities Blowup

Overview

How the attack works

What the attacker needs

Prerequisites

Consequences

How to mitigate it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-221?

How does a Data Serialization External Entities Blowup attack work?

How do you prevent CAPEC-221?

What weaknesses does CAPEC-221 target?

References

Defend against CAPEC-221

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-221?

How does a Data Serialization External Entities Blowup attack work?

How do you prevent CAPEC-221?

What weaknesses does CAPEC-221 target?

References

Defend against CAPEC-221