CAPEC-197: Exponential Data Expansion

Description
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
Extended Description

The possible outcomes of a Principal Spoof mirror those of Identity Spoofing. (e.g., escalation of privilege and false attribution of data or activities) Likewise, most techniques for Identity Spoofing (crafting messages or intercepting and replaying or modifying messages) can be used for a Principal Spoof attack. However, because a Principal Spoof is used to impersonate a person, social engineering can be both an attack technique (using social techniques to generate evidence in support of a false identity) as well as a possible outcome (manipulating people's perceptions by making statements or performing actions under a target's name).

Severity :

Medium

Possibility :

High

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-228: DTD Injection DTD Injection CAPEC-230: Serialized Data with Nested Payloads Serialized Data with Nested Payloads
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • This type of attack requires that the target must receive input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Ability to craft nested data expansion messages.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

WASC | XML Entity Expansion
Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Visit http://capec.mitre.org/ for more details.