Home > CAPEC List > CAPEC-84: XQuery Injection (Version 3.0)  

CAPEC-84: XQuery Injection

Attack Pattern ID: 84
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.
+ Likelihood Of Attack

High

+ Typical Severity

Very High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.250XML Injection
+ Execution Flow
Explore
  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application. Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

    Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Experiment
  1. Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax. Use web browser to inject input through text fields or through HTTP GET parameters. Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. Use XML files to inject input. Use network-level packet injection tools such as netcat to inject input Use modified client (modified by reverse engineering) to inject input.

    Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use XML files to inject input.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.
Exploit
  1. Information Disclosure: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information. Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it.

    Techniques
    Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it.
  2. Manipulate the data in the XML database: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data. Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database.

    Techniques
    Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database.
+ Prerequisites
The XQL must execute unvalidated data
+ Skills Required
[Level: Low]
Basic understanding of XQuery
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Integrity
Modify Data
Confidentiality
Read Data
Confidentiality
Access Control
Authorization
Gain Privileges
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
+ Mitigations
Design: Perform input white list validation on all XML input
Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQL.
+ Example Instances

An attacker can pass XQuery expressions embedded in otherwise standard XML documents. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back.

doc(accounts.xml)//user[Name='*']

The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL.

+ Memberships
This MemberOf Relationships table shows additional CAPEC Categories and Views that reference this attack pattern as a member. This information is often useful in understanding where a attack pattern fits within the context of external information sources.
NatureTypeIDName
MemberOfCategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.379WASC-46 - XQuery Injection
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018