CAPEC-230: Serialized Data with Nested Payloads
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
执行流程
步骤 1 Explore
An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side.
步骤 2 Exploit
An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.
前提条件
- An application's user-controllable data is expressed in a language that supports subsitution.
- An application does not perform sufficient validation to ensure that user-controllable data is not malicious.
后果影响
影响范围: Availability
技术影响: Resource Consumption
影响范围: Confidentiality
技术影响: Read Data
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
缓解措施
Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.
Perform validation on canonical data.
Pick a robust implementation of the data parser.