 Description An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information. Likelihood Of Attack Relationships  This table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.| Nature | Type | ID | Name |
|---|
| ChildOf |  Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises. | 248 | Command Injection | | ParentOf |  Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal. | 83 | XPath Injection | | ParentOf | Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal. | 84 | XQuery Injection | | ParentOf | Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal. | 228 | DTD Injection |
Execution Flow Explore Survey the Target: Using a browser or an automated tool, an adversary records all instances of user-controllable input used to contruct XML queries | Techniques |
|---|
| Use an automated tool to record all instances of user-controllable input used to contruct XML queries. | | Use a browser to manually explore the website and analyze how the application processes inputs. |
Experiment Determine the Structure of Queries: Using manual or automated means, test inputs found for XML weaknesses. | Techniques |
|---|
| Use XML reserved characters or words, possibly with other input data to attempt to cause unexpected results and identify improper input validation. |
Exploit Inject Content into XML Queries: Craft malicious content containing XML expressions that is not validated by the application and is executed as part of the XML queries. | Techniques |
|---|
| Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker. |
Prerequisites
| XML queries used to process user input and retrieve information stored in XML documents |
| User-controllable input not properly sanitized |
Skills Required
[Level: Low] An attacker must have knowledge of XML syntax and constructs in order to successfully leverage XML Injection |
Resources Required
| None: No specialized resources are required to execute this type of attack. |
Indicators
| Too many exceptions generated by the application as a result of malformed queries |
Consequences This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.| Scope | Impact | Likelihood |
|---|
Confidentiality Access Control Authorization | Gain Privileges | | Confidentiality | Read Data | |
Mitigations
| Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XML data or a query. |
| Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application. |
Example Instances
| Consider an application that uses an XML database to authenticate its users. The application retrieves the user name and password from a request and forms an XPath expression to query the database. An attacker can successfully bypass authentication and login without valid credentials through XPath Injection. This can be achieved by injecting the query to the XML database with XPath syntax that causes the authentication check to fail. Improper validation of user-controllable input and use of a non-parameterized XPath expression enable the attacker to inject an XPath expression that causes authentication bypass. |
Taxonomy Mappings Relevant to the WASC taxonomy mapping | Entry ID | Entry Name |
|---|
| 23 | XML Injection |
 Content History | Submissions |
|---|
| Submission Date | Submitter | Organization |
|---|
| 2014-06-23 (Version 2.6) | CAPEC Content Team | The MITRE Corporation | | | Modifications |
|---|
| Modification Date | Modifier | Organization |
|---|
| 2017-08-04 (Version 2.11) | CAPEC Content Team | The MITRE Corporation | | Updated Resources_Required | | 2018-07-31 (Version 2.12) | CAPEC Content Team | The MITRE Corporation | | Updated References, Related_Weaknesses | | 2020-12-17 (Version 3.4) | CAPEC Content Team | The MITRE Corporation | | Updated Mitigations, Taxonomy_Mappings | | 2021-06-24 (Version 3.5) | CAPEC Content Team | The MITRE Corporation | | Updated Related_Weaknesses | | 2022-02-22 (Version 3.7) | CAPEC Content Team | The MITRE Corporation | | Updated Execution_Flow |
More information is available — Please select a different filter.
|
