CAPEC-201 Detail

CAPEC-201

Name

Serialized Data External Linking

Likihood attacks

High

Typical Severity

High

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2022-09-29
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.

Informations CAPEC

Execution Flow

1) Explore

[Survey the target] Using a browser or an automated tool, an adversary records all instances of web services that process requests with serialized data.

Technique

Use an automated tool to record all instances of URLs that process requests with serialized data.
Use a browser to manually explore the website and analyze how the application processes serialized data requests.

2) Exploit

[Craft malicious payload] The adversary crafts malicious data message that contains references to sensitive files.

3) Exploit

[Launch an External Linking attack] Send the malicious crafted message containing the reference to a sensitive file to the target URL.

Prerequisites

The target must follow external data references without validating the validity of the reference target.

Skills Required

To send serialized data messages with maliciously crafted schema.

Resources Required

None: No specialized resources are required to execute this type of attack.

Mitigations

Configure the serialized data processor to only retrieve external entities from trusted sources.

Related Weaknesses

CWE-ID	Weakness Name
CWE-829	Inclusion of Functionality from Untrusted Control Sphere The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

REF-73

XXE (Xml eXternal Entity) Attack
http://www.securiteam.com/securitynews/6D0100A5PU.html

REF-74

CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection
http://scary.beasts.org/security/CESA-2007-002.html

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2017-08-04 +00:00	Updated Activation_Zone, Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description, Description Summary, Examples-Instances, Injection_Vector, Methods_of_Attack, Payload, Payload_Activation_Impact, Resources_Required, Typical_Likelihood_of_Exploit, Typical_Severity
CAPEC Content Team	The MITRE Corporation	2018-07-31 +00:00	Updated Attack_Phases, Description Summary, Related_Attack_Patterns, Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated @Name, Description, Execution_Flow, Mitigations, Skills_Required
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Consequences, Description
CAPEC Content Team	The MITRE Corporation	2021-10-21 +00:00	Updated Description, Example_Instances, Execution_Flow, Prerequisites
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Example_Instances, Related_Attack_Patterns