Home > CAPEC List > CAPEC-280: SOAP Parameter Tampering (Version 2.9)  

CAPEC-280: SOAP Parameter Tampering

SOAP Parameter Tampering
Definition in a New Window Definition in a New Window
Attack Pattern ID: 280
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker sends a SOAP message where the field values are other than what the server is likely to expect in order to precipitate non-standard server behavior. In a SOAP message, parameters take the form of values within XML elements. The server will have an XML schema that indicates certain restrictions on these parameter values. For example, the server may expect a parameter to be a string with fewer than 10 characters, or a number less than 100. In a SOAP parameter tampering attack, an attacker either violates this schema, or takes advantage of flexibility within the scheme (for example, a lack of a character limit) to provide parameters that a server might not expect. Examples of unexpected parameters include oversized data, data with different data types, inserting metacharacters within data, and sending contextually inappropriate data (for example, sending a non-existent product name in a product name field or using an out-of-order sequence number). Results of this attack can include information disclosure, denial of service, or even execution of arbitrary code.

+ Attack Prerequisites
  • The targeted server either fails to verify that data in SOAP messages conforms to the appropriate XML schema, or it fails to correctly handle the complete range of data allowed by the schema.

+ Typical Severity


+ Resources Required

The attacker must be able to craft arbitrary SOAP messages and send them to the targeted server.

+ References
[R.280.1] Navya Sidharth and Jigang Liu. "Resistant SOAP Messaging with IAPF".
[R.280.2] Shreeraj Shah. "Web 2.0 Security: Defending Ajax, RIA, and SOA". Chapter 12. SOA Attack Vectors and Scanning for Vulnerabilities: Parameter Tampering. Course Technology PTR. December 04, 2007. <http://my.safaribooksonline.com/9781584505501/ch12lev1sec4>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015