Detailedlikelihood: Highseverity: HighDraft

CAPEC-229Serialized Data Parameter Blowup

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
High

Description

This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an serialized data file with multiple configuration parameters in the same dataset. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm. The weakness being exploited is tied to parser implementation and not language specific.

Related weaknesses· 1

CWE-770

Related attack patterns· 1

CAPEC-231 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessAllocation of Resources Without Limits or Throttlingcwe-770100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Serialized Data with Nested Payloads
CAPEC
Data Serialization External Entities Blowup
CAPEC
Oversized Serialized Data Payloads
CAPEC
Serialized Data External Linking
CAPEC
Exponential Data Expansion
CAPEC
SOAP Array Blowup
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.