Dark Mode
Capec-586 Detail
Object Injection
Meta Software Likelihood: Medium Typical Severity: High
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-586 | capec | https://capec.mitre.org/data/definitions/586.html | |
| CWE-502 | cwe | http://cwe.mitre.org/data/definitions/502.html | |
| REF-468 | reference_from_CAPEC | Deserialization of Untrusted Data, 2017--01, OWASP |
Not present
- The target application must unserialize data before validation.
Not present
Not present
| Integrity | Availability | Authorization |
|---|---|---|
| Modify Data (Attackers can modify objects or data that was assumed to be safe from modification.) | Resource Consumption (If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate and exhaust available resources.) | Execute Unauthorized Commands (Functions that assume information in the deserialized object is valid could be exploited.) |
Not present