CAPEC-528: XML Flood
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing.
执行流程
步骤 1 Explore
[Survey the target] Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.
- Use an automated tool to record all instances of URLs to process XML requests.
- Use a browser to manually explore the website and analyze how the application processes XML requests.
步骤 2 Experiment
An adversary crafts input data that may have an adverse effect on the operation of the web service when the XML data sent to the service.
步骤 3 Exploit
[Launch a resource depletion attack] The attacker delivers a large number of XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.
- Send a large number of crafted XML messages to the target URL.
前提条件
- The target must receive and process XML transactions.
- An adverssary must possess the ability to generate a large amount of XML based messages to send to the target service.
所需技能
后果影响
影响范围: Availability
技术影响: Resource Consumption
缓解措施
Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.
Implementation: Provide for network flow control and traffic shaping to control access to the resources.
示例实例
Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1499.002 | Endpoint Denial of Service:Service Exhaustion Flood |
| ATTACK | 1498.001 | Network Denial of Service:Direct Network Flood |