CAPEC-230 Detail

CAPEC-230

Name

Serialized Data with Nested Payloads

Likihood attacks

Medium

Typical Severity

High

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2021-10-21
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

Informations CAPEC

Execution Flow

1) Explore

An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side.

2) Exploit

An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.

Prerequisites

An application's user-controllable data is expressed in a language that supports subsitution.
An application does not perform sufficient validation to ensure that user-controllable data is not malicious.

Mitigations

Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.
Perform validation on canonical data.
Pick a robust implementation of the data parser.

Related Weaknesses

CWE-ID	Weakness Name
CWE-112	Missing XML Validation The product accepts XML from an untrusted source but does not validate the XML against the proper schema.
CWE-20	Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-674	Uncontrolled Recursion The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-770	Allocation of Resources Without Limits or Throttling The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

REF-89

XML Parser Attacks: A summary of ways to attack an XML Parser
Shlomo, Yona.
http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2019-09-30 +00:00	Updated Alternate_Terms, Description, Execution_Flow, Indicators, Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Description
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2021-10-21 +00:00	Updated @Name, Description, Execution_Flow, Extended_Description, Indicators, Mitigations, Prerequisites, Skills_Required