Dark Mode
Capec-230 Detail
Serialized Data with Nested Payloads
Standard Software Likelihood: Medium Typical Severity: High
Parents: 130
Children: 197 491
Threats: T61 T64 T74 T77 T269 T282 T289 T374 T401
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
An adversary's goal is to leverage parser failure to their advantage. In most cases this type of an attack will result in a Denial of Service due to an application becoming unstable, freezing, or crashing. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89]. This attack is most closely associated with web services using SOAP or a Rest API, because remote service requesters can post malicious payloads to the service provider. The main weakness is that the service provider generally must inspect, parse, and validate the messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that this attack targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-230 | capec | https://capec.mitre.org/data/definitions/230.html | |
| CWE-112 | cwe | http://cwe.mitre.org/data/definitions/112.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-674 | cwe | http://cwe.mitre.org/data/definitions/674.html | |
| CWE-770 | cwe | http://cwe.mitre.org/data/definitions/770.html | |
| REF-89 | reference_from_CAPEC | http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html | Shlomo, Yona, XML Parser Attacks: A summary of ways to attack an XML Parser, 2007 |
Explore
-
An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side.
Exploit
-
An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.
- An application's user-controllable data is expressed in a language that supports subsitution.
- An application does not perform sufficient validation to ensure that user-controllable data is not malicious.
Not present
Not present
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Execute Unauthorized Commands | Resource Consumption | Gain Privileges | Gain Privileges | Read Data |
| Execute Unauthorized Commands | Execute Unauthorized Commands | |||
| Gain Privileges |
Not present