Resource Depletion through DTD Injection in a SOAP Message
Attack Pattern ID: 228 (Detailed Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker utilizes a SOAP message to send the target a crafted DTD which consumes excessive resources when parsed on the end system resulting in resource depletion. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion. In this attack, the XML parser is part of a service that processes SOAP messages.

+ Attack Prerequisites

The target must be running a SOAP client that contains vulnerabilities making it susceptible to malformed DTDs.

+ Resources Required

The attacker must be able to craft custom DTDs and attach them to SOAP messages.

+ Solutions and Mitigations

Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in resource depletion.

Implementation: Disallow the inclusion of DTDs in SOAP messages.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
770Allocation of Resources Without Limits or ThrottlingTargeted
400Uncontrolled Resource Consumption ('Resource Exhaustion')Targeted
100Technology-Specific Input Validation ProblemsTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern130Resource Depletion through Allocation 
Mechanism of Attack (primary)1000
ChildOfAttack PatternAttack Pattern197XEE (XML Entity Expansion) 
Mechanism of Attack1000