Standardlikelihood: Mediumseverity: HighDraft

CAPEC-230Serialized Data with Nested Payloads

Abstraction
Standard
Status
Draft
Likelihood
Medium
Severity
High

Description

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

Related weaknesses· 4

CWE-112CWE-20CWE-674CWE-770

Related attack patterns· 1

CAPEC-130 (ChildOf)

Exploits4

TypeTargetConfidenceTier
WeaknessAllocation of Resources Without Limits or Throttlingcwe-770100%live
WeaknessUncontrolled Recursioncwe-674100%live
WeaknessImproper Input Validationcwe-20100%live
WeaknessMissing XML Validationcwe-112100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Serialized Data Parameter Blowup
CAPEC
Oversized Serialized Data Payloads
CAPEC
Serialized Data External Linking
CAPEC
Exponential Data Expansion
CAPEC
Data Serialization External Entities Blowup
CAPEC
Object Injection
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.