CAPEC-228

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Severity: Medium
DTD Injection

Description

An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.

Prerequisites

The target must be running an XML based application that leverages DTDs.

Mitigations

Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.

Implementation: Disallow the inclusion of DTDs as part of incoming messages.

Implementation: Use XML parsing tools that protect against DTD attacks.