CAPEC-493
Benachrichtigung für ein CAPEC
Bleiben Sie über alle Änderungen zu einem bestimmten CAPEC informiert.
CAPEC-Beschreibungen
An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service.
CAPEC-Informationen
Voraussetzungen
This type of an attack requires the attacker to know the endpoint of the web service, and be able to reach the endpoint with a malicious SOAP message.Gegenmaßnahmen
Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.Verwandte Schwachstellen
| Name der Schwachstelle | |
|---|---|
CWE-770 |
Allocation of Resources Without Limits or Throttling The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Referenzen
REF-422
SOAP Array Attackhttp://www.ws-attacks.org/index.php/Soap_Array_Attack
Einreichung
| Name | Organisation | Datum | Veröffentlichungsdatum |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Änderungen
| Name | Organisation | Datum | Kommentar |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns |
