Resource Depletion through DTD Injection in a SOAP Message |
Attack Pattern ID: 228 (Detailed Attack Pattern Completeness: Stub) | Typical Severity: Medium | Status: Draft |
Resource Depletion through DTD Injection in a SOAP Message |
Attack Pattern ID: 228 (Detailed Attack Pattern Completeness: Stub) | Typical Severity: Medium | Status: Draft |
Summary
An attacker utilizes a SOAP message to send the target a crafted DTD which consumes excessive resources when parsed on the end system resulting in resource depletion. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion. In this attack, the XML parser is part of a service that processes SOAP messages.
The target must be running a SOAP client that contains vulnerabilities making it susceptible to malformed DTDs.
Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in resource depletion.
Implementation: Disallow the inclusion of DTDs in SOAP messages.
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 130 | Resource Depletion through Allocation | Mechanism of Attack (primary)1000 | |
ChildOf | Attack Pattern | 197 | XEE (XML Entity Expansion) | Mechanism of Attack1000 |
Security-Database help your corporation foresee and avoid any security risks that may impact your IT infrastructure and business applications.
28 June 2016