StandardDraft

CAPEC-493SOAP Array Blowup

Abstraction
Standard
Status
Draft

Description

An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service.

Related weaknesses· 1

CWE-770

Related attack patterns· 1

CAPEC-130 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessAllocation of Resources Without Limits or Throttlingcwe-770100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
SOAP Array Overflow
CAPEC
SOAP Manipulation
CAPEC
Serialized Data Parameter Blowup
CAPEC
XML Flood
CAPEC
XML Ping of the Death
CAPEC
SQL Injection through SOAP Parameter Tampering
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.