Dark Mode

Settings

Capec-201 Detail

Serialized Data External Linking

Detailed Software Communications Software Likelihood: High Typical Severity: High

Parents: 122 278

Threats: T61 T74 T264 T265 T269 T294 T308 T309

Description

An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.

Not present

External ID Source Link Description
CAPEC-201 capec https://capec.mitre.org/data/definitions/201.html
CWE-829 cwe http://cwe.mitre.org/data/definitions/829.html
REF-73 reference_from_CAPEC http://www.securiteam.com/securitynews/6D0100A5PU.html XXE (Xml eXternal Entity) Attack, Beyond Security
REF-74 reference_from_CAPEC http://scary.beasts.org/security/CESA-2007-002.html CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection
Explore

  1. Survey the target: Using a browser or an automated tool, an adversary records all instances of web services that process requests with serialized data.

    2. Techniques
    Use an automated tool to record all instances of URLs that process requests with serialized data.
    Use a browser to manually explore the website and analyze how the application processes serialized data requests.
Exploit

  1. Craft malicious payload: The adversary crafts malicious data message that contains references to sensitive files.

  2. Launch an External Linking attack: Send the malicious crafted message containing the reference to a sensitive file to the target URL.

  1. The target must follow external data references without validating the validity of the reference target.
  1. None: No specialized resources are required to execute this type of attack.
Low
To send serialized data messages with maliciously crafted schema.
Confidentiality
Read Data
  1. The following DTD would attempt to open the /dev/tty device: ]> A malicious actor could use this crafted DTD to reveal sensitive information.
  2. The following XML snippet would attempt to open the /etc/passwd file:

We use cookies to ensure you get the best experience on our website.