| Name |
Serialized Data External Linking |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain. |
| Prerequisites |
The target must follow external data references without validating the validity of the reference target. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Survey the target] Using a browser or an automated tool, an adversary records all instances of web services that process requests with serialized data. |
- Use an automated tool to record all instances of URLs that process requests with serialized data.
- Use a browser to manually explore the website and analyze how the application processes serialized data requests.
|
| 2 |
Exploit |
[Craft malicious payload] The adversary crafts malicious data message that contains references to sensitive files. |
|
| 3 |
Exploit |
[Launch an External Linking attack] Send the malicious crafted message containing the reference to a sensitive file to the target URL. |
|
|
| Solutions | Configure the serialized data processor to only retrieve external entities from trusted sources. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-122 |
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. |
| CAPEC-278 |
An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash. |
|