CAPEC-231

Oversized Serialized Data Payloads
Mittel
Hoch
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Benachrichtigung für ein CAPEC
Bleiben Sie über alle Änderungen zu einem bestimmten CAPEC informiert.
Benachrichtigungen verwalten

CAPEC-Beschreibungen

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.

CAPEC-Informationen

Ausführungsablauf

1) Explore

An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.

2) Experiment

An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.

Voraussetzungen

An application uses an parser for serialized data to perform transformation on user-controllable data.
An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser.

Erforderliche Kenntnisse

Denial of service
Arbitrary code execution

Gegenmaßnahmen

Carefully validate and sanitize all user-controllable serialized data prior to passing it to the parser routine. Ensure that the resultant data is safe to pass to the parser.
Perform validation on canonical data.
Pick a robust implementation of the serialized data parser.
Validate data against a valid schema or DTD prior to parsing.

Verwandte Schwachstellen

CWE-ID Name der Schwachstelle

CWE-112

 Missing XML Validation
The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

CWE-20

 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-674

 Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

CWE-770

 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Referenzen

REF-89

XML Parser Attacks: A summary of ways to attack an XML Parser
Shlomo, Yona.
http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html

Einreichung

Name Organisation Datum Veröffentlichungsdatum
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Änderungen

Name Organisation Datum Kommentar
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Alternate_Terms, Description, Execution_Flow, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated @Name, Description, Execution_Flow, Indicators, Mitigations, Prerequisites
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Description, Notes
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Description, Extended_Description
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.