Dark Mode
Capec-231 Detail
Oversized Serialized Data Payloads
Standard Software Likelihood: Medium Typical Severity: High
Parents: 130
Children: 221 229
Threats: T61 T64 T74 T77 T264 T265 T269 T282 T289 T308 T309 T374 T401
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.
Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-231 | capec | https://capec.mitre.org/data/definitions/231.html | |
| CWE-112 | cwe | http://cwe.mitre.org/data/definitions/112.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-674 | cwe | http://cwe.mitre.org/data/definitions/674.html | |
| CWE-770 | cwe | http://cwe.mitre.org/data/definitions/770.html | |
| REF-89 | reference_from_CAPEC | http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html | Shlomo, Yona, XML Parser Attacks: A summary of ways to attack an XML Parser, 2007 |
Explore
-
An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.
Experiment
-
An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.
- An application uses an parser for serialized data to perform transformation on user-controllable data.
- An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser.
Not present
| Low | High |
|---|---|
| Denial of service | |
| Arbitrary code execution |
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Execute Unauthorized Commands | Resource Consumption | Gain Privileges | Gain Privileges | Read Data |
| Execute Unauthorized Commands | Execute Unauthorized Commands | |||
| Gain Privileges |
Not present