CAPEC-221: Data Serialization External Entities Blowup
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
执行流程
步骤 1 Explore
[Find target web service] The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML.
步骤 2 Experiment
[Host malicious file on a server] The adversary will create a web server that contains a malicious file. This file will be extremely large, so that if a web service were to try to load it, the service would most likely hang.
步骤 2 Experiment
[Craft malicious data] Using the serialization language that the web service takes as input, the adversary will craft data that links to the malicious file using an external entity reference to the URL of the file.
步骤 4 Exploit
[Send serialized data containing URI] The adversary will send specially crafted serialized data to the web service. When the web service loads the input, it will attempt to download the malicious file. Depending on the amount of memory the web service has, this could either crash the service or cause it to hang, resulting in a Denial of Service attack.
前提条件
- A server that has an implementation that accepts entities containing URI values.
后果影响
影响范围: Availability
技术影响: Resource Consumption
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
缓解措施
This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.
This attack may be mitigated by tweaking the serialized data parser to not resolve external entities. If external entities are needed, then implement a custom resolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| WASC | 43 | XML External Entities |