CAPEC-52: Embedding NULL Bytes
Description
Extended Description
WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol.
Severity :
High
Possibility :
High
Type :
Detailed
Relationships with other CAPECs
This table shows the other attack patterns and high level categories that are related to this attack pattern.
Prerequisites
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- The program does not properly handle postfix NULL terminators
Skills required
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- Medium Directory traversal
- High Execution of arbitrary code
Taxonomy mappings
Mappings to ATT&CK, OWASP and other frameworks.
Related CWE
A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.
CWE-20: Improper Input Validation
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-158: Improper Neutralization of Null Byte or NUL Character
CWE-172: Encoding Error
CWE-173: Improper Handling of Alternate Encoding
CWE-697: Incorrect Comparison
CWE-707: Improper Neutralization
Visit http://capec.mitre.org/ for more details.