CAPEC-231 Détail

CAPEC-231

Nom

Oversized Serialized Data Payloads

Probabilité d'attaque

Moyen

Gravité typique

Haute

Statut

Draft

Publié

2014-06-23
00h00 +00:00

Modifié

2022-09-29
00h00 +00:00

Liens officiels

CAPEC Mitre.org

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Gestion des notifications

Liste des Notifications

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CAPEC ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CAPEC

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.

Informations du CAPEC

Flux d'exécution

1) Explore

An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.

2) Experiment

An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.

Conditions préalables

An application uses an parser for serialized data to perform transformation on user-controllable data.
An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser.

Compétences requises

Denial of service
Arbitrary code execution

Atténuations

Carefully validate and sanitize all user-controllable serialized data prior to passing it to the parser routine. Ensure that the resultant data is safe to pass to the parser.
Perform validation on canonical data.
Pick a robust implementation of the serialized data parser.
Validate data against a valid schema or DTD prior to parsing.

Faiblesses connexes

CWE-ID	Nom de la faiblesse
CWE-112	Missing XML Validation The product accepts XML from an untrusted source but does not validate the XML against the proper schema.
CWE-20	Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-674	Uncontrolled Recursion The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-770	Allocation of Resources Without Limits or Throttling The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Références

REF-89

XML Parser Attacks: A summary of ways to attack an XML Parser
Shlomo, Yona.
http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html

Soumission

Nom	Organisation	Date	Date de publication
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Nom	Organisation	Date	Commentaire
CAPEC Content Team	The MITRE Corporation	2019-09-30 +00:00	Updated Alternate_Terms, Description, Execution_Flow, Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated @Name, Description, Execution_Flow, Indicators, Mitigations, Prerequisites
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Description, Notes
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Description, Extended_Description

Détail du CAPEC-231