CAPEC-221: Data Serialization External Entities Blowup
Description
Extended Description
For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions.
Severity :
Possibility :
Type :
Detailed
Relationships with other CAPECs
This table shows the other attack patterns and high level categories that are related to this attack pattern.
Prerequisites
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- A server that has an implementation that accepts entities containing URI values.
Skills required
This table shows the other attack patterns and high level categories that are related to this attack pattern.
Taxonomy mappings
Mappings to ATT&CK, OWASP and other frameworks.
Related CWE
A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.
Visit http://capec.mitre.org/ for more details.