CAPEC-230: Serialized Data with Nested Payloads

Description

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

Extended Description

An adversary's goal is to leverage parser failure to their advantage. In most cases this type of an attack will result in a Denial of Service due to an application becoming unstable, freezing, or crashing. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89].

This attack is most closely associated with web services using SOAP or a Rest API, because remote service requesters can post malicious payloads to the service provider. The main weakness is that the service provider generally must inspect, parse, and validate the messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that this attack targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Severity :

High

Possibility :

Medium

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-130: Excessive Allocation Excessive Allocation CAPEC-197: Exponential Data Expansion Exponential Data Expansion CAPEC-491: Quadratic Data Expansion Quadratic Data Expansion

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

An application's user-controllable data is expressed in a language that supports subsitution.
An application does not perform sufficient validation to ensure that user-controllable data is not malicious.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-112: Missing XML Validation

CWE-674: Uncontrolled Recursion

CWE-770: Allocation of Resources Without Limits or Throttling

Visit http://capec.mitre.org/ for more details.