Detailedlikelihood: Highseverity: HighDraft

CAPEC-201Serialized Data External Linking

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
High

Description

An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.

Related weaknesses· 1

CWE-829

Related attack patterns· 2

CAPEC-122 (ChildOf)CAPEC-278 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessInclusion of Functionality from Untrusted Control Spherecwe-829100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Data Serialization External Entities Blowup
CAPEC
Serialized Data with Nested Payloads
CAPEC
Serialized Data Parameter Blowup
CAPEC
Object Injection
CAPEC
Oversized Serialized Data Payloads
CAPEC
XML Injection
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.