Home > CAPEC List > CAPEC-586: Object Injection (Version 2.11)  

CAPEC-586: Object Injection

Object Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 586
Abstraction: Meta
Status: Draft
Completeness: Hook
Presentation Filter:
+ Summary

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.

+ Attack Prerequisites
  • The target application must unserialize data before validation.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Medium

+ Solutions and Mitigations

Implementation: Validate object before deserialization process

Design: Limit which types can be deserialized.

Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Whitelist acceptable classes.

Implementation: Keep session state on the server, when possible.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
DoS: resource consumption (memory)
If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate and exhaust available resources.
Modify files or directories
Attackers can modify objects or data that was assumed to be safe from modification.
Execute unauthorized code or commands
Functions that assume information in the deserialized object is valid could be exploited.
+ References
[R.17.1] [REF-2] "CWE-502: Deserialization of Untrusted Data". MITRE. January 2017.
[R.17.1] [REF-2] "Deserialization of Untrusted Data". OWASP. January 2017.
+ Content History
CAPEC Content TeamThe MITRE Corporation2017-02-06Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017