Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-491:Quadratic Data Expansion
Attack Pattern ID:491
Version:v3.9
Attack Pattern Name:Quadratic Data Expansion
Abstraction:Detailed
Status:Draft
Likelihood of Attack:
Typical Severity:
DetailsContent HistoryRelated WeaknessesReports
▼Description
An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources.
▼Extended Description
▼Alternate Terms
XML Entity Expansion (XEE)

▼Relationships
NatureTypeIDName
ChildOfS230Serialized Data with Nested Payloads
CanFollowD228DTD Injection
Nature: ChildOf
Type: Standard
ID: 230
Name: Serialized Data with Nested Payloads
Nature: CanFollow
Type: Detailed
ID: 228
Name: DTD Injection
▼Execution Flow
Explore
1.

Survey the target

An adversary determines the input data stream that is being processed by a data parser that supports using substituion on the victim's side.

Technique
Use an automated tool to record all instances of URLs to process requests.
Use a browser to manually explore the website and analyze how the application processes requests.
Exploit
1.

Craft malicious payload

The adversary crafts malicious message containing nested quadratic expansion that completely uses up available server resource.

Technique
2.

Send the message

Send the malicious crafted message to the target URL.

Technique
▼Prerequisites
This type of attack requires a server that accepts serialization data which supports substitution and parses the data.
▼Skills Required
▼Resources Required
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
AvailabilityN/AUnreliable ExecutionResource ConsumptionDenial of Service
Scope: Availability
Likelihood: N/A
Impact: Unreliable Execution, Resource Consumption
Note: Denial of Service
▼Mitigations
Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.
Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.
▼Example Instances
▼Related Weaknesses
IDName
CWE-770Allocation of Resources Without Limits or Throttling
ID: CWE-770
Name: Allocation of Resources Without Limits or Throttling
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
▼Notes
▼References
Details not found