| Name |
Serialized Data External Linking |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
An attacker creates a serialized data file (e.g. XML, YAML, etc...) that contains an external entity reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections. This may lead to an attacker gaining access to information on the system that they would normally be unable to read. |
| Prerequisites |
The target must follow external entity references without validating the validity of the reference target. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Survey the target] Using a browser or an automated tool, an attacker records all instances of web services that process requests with serialized data. |
- Use an automated tool to record all instances of URLs that process requests with serialized data.
- Use a browser to manually explore the website and analyze how the application processes serialized data requests.
|
| 2 |
Exploit |
[Launch an External Entity Linking attack] The attacker crafts malicious data message that contains references to sensitive files. |
- Send the malicious crafted message containing the reference to a sensitive file to the target URL.
|
|
| Solutions | Configure the serialized data processor to only retrieve external entities from trusted sources. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-231 |
Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends. |
| CAPEC-278 |
An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash. |
|