CAPEC-230: Serialized Data with Nested Payloads
Also known as: XML Denial of Service (XML DoS)
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
Last updated
Overview
An adversary's goal is to leverage parser failure to their advantage. In most cases this type of an attack will result in a Denial of Service due to an application becoming unstable, freezing, or crashing. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89]. This attack is most closely associated with web services using SOAP or a Rest API, because remote service requesters can post malicious payloads to the service provider. The main weakness is that the service provider generally must inspect, parse, and validate the messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that this attack targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side.
- Step 2Exploit
An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.
What the attacker needs
Prerequisites
- An application's user-controllable data is expressed in a language that supports subsitution.
- An application does not perform sufficient validation to ensure that user-controllable data is not malicious.
Consequences
What a successful CAPEC-230 attack can achieve.
Resource Consumption
Affects: Availability
Read Data
Affects: Confidentiality
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-230.
- Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.
- Perform validation on canonical data.
- Pick a robust implementation of the data parser.
How to detect it
Indicators that this attack may be underway.
- Bad data is passed to the data parser (possibly repeatedly), possibly making it crash or execute arbitrary code.
Terminology & mappings
Alternate terms
- XML Denial of Service (XML DoS)
Frequently asked questions
Common questions about CAPEC-230.
- What is CAPEC-230?
- Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
- How does a Serialized Data with Nested Payloads attack work?
- It typically unfolds over 2 phases. It begins with: An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side.
- How do you prevent CAPEC-230?
- Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.
- What weaknesses does CAPEC-230 target?
- CAPEC-230 exploits 4 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-112 (Missing XML Validation), CWE-674 (Uncontrolled Recursion), CWE-770 (Allocation of Resources Without Limits or Throttling).
- How severe is CAPEC-230?
- MITRE rates CAPEC-230 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-230
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.