DetailedDraft

CAPEC-221Data Serialization External Entities Blowup

Abstraction
Detailed
Status
Draft

Description

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

Related weaknesses· 1

CWE-611

Related attack patterns· 2

CAPEC-231 (ChildOf)CAPEC-278 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessImproper Restriction of XML External Entity Referencecwe-611100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Serialized Data Parameter Blowup
CAPEC
Serialized Data External Linking
CAPEC
Serialized Data with Nested Payloads
CAPEC
DTD Injection
CAPEC
Oversized Serialized Data Payloads
CAPEC
Exponential Data Expansion
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.