This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Description
Attack Execution Flow
4
1
Step 1
Explore[Find target web service] The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML.
AI Translation
[Trova il servizio web di destinazione] L'attaccante deve prima individuare un servizio web che accetti dati di input sotto forma di un linguaggio serializzato come XML o YAML.
2
Step 2
Experiment[Host malicious file on a server] The adversary will create a web server that contains a malicious file. This file will be extremely large, so that if a web service were to try to load it, the service would most likely hang.
AI Translation
[Hostare un file dannoso su un server] L'attore malevolo creerà un server web che contiene un file dannoso. Questo file sarà estremamente grande, in modo che se un servizio web tentasse di caricarlo, il servizio probabilmente si bloccherebbe.
3
Step 3
Experiment[Craft malicious data] Using the serialization language that the web service takes as input, the adversary will craft data that links to the malicious file using an external entity reference to the URL of the file.
AI Translation
[Creare dati dannosi] Utilizzando il linguaggio di serializzazione accettato dal servizio web, l'attaccante creerà dati che collegano al file dannoso tramite un riferimento a entità esterna all'URL del file.
4
Step 4
Exploit[Send serialized data containing URI] The adversary will send specially crafted serialized data to the web service. When the web service loads the input, it will attempt to download the malicious file. Depending on the amount of memory the web service has, this could either crash the service or cause it to hang, resulting in a Denial of Service attack.
AI Translation
[Invio di dati serializzati contenenti URI] L’attore malevolo invierà dati serializzati appositamente creati al servizio web. Quando il servizio web caricherà l’input, tenterà di scaricare il file dannoso. A seconda della quantità di memoria disponibile nel servizio web, ciò potrebbe causare il crash del servizio o il suo blocco, risultando in un attacco di Denial of Service.
Mitigations
2
This Attack May Be Mitigated By Tweaking The Xml Parser To Not Resolve External Entities. If External Entities Are Needed, Then Implement A Custom Xmlresolver That Has A Request Timeout, Data Retrieval Limit, And Restrict Resources It Can Retrieve Locally.
This Attack May Be Mitigated By Tweaking The Serialized Data Parser To Not Resolve External Entities. If External Entities Are Needed, Then Implement A Custom Resolver That Has A Request Timeout, Data Retrieval Limit, And Restrict Resources It Can Retrieve Locally.
Consequences
Security Scopes Affected
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Resource Consumption