CAPEC-231: Oversized Serialized Data Payloads
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.
执行流程
步骤 1 Explore
An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.
步骤 2 Experiment
An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.
前提条件
- An application uses an parser for serialized data to perform transformation on user-controllable data.
- An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser.
所需技能
后果影响
影响范围: Availability
技术影响: Resource Consumption
影响范围: Confidentiality
技术影响: Read Data
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
缓解措施
Carefully validate and sanitize all user-controllable serialized data prior to passing it to the parser routine. Ensure that the resultant data is safe to pass to the parser.
Perform validation on canonical data.
Pick a robust implementation of the serialized data parser.
Validate data against a valid schema or DTD prior to parsing.