CAPEC-586: Object Injection
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
前提条件
- The target application must unserialize data before validation.
后果影响
影响范围: Availability
技术影响: Resource Consumption
说明: If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate and exhaust available resources.
影响范围: Integrity
技术影响: Modify Data
说明: Attackers can modify objects or data that was assumed to be safe from modification.
影响范围: Authorization
技术影响: Execute Unauthorized Commands
说明: Functions that assume information in the deserialized object is valid could be exploited.