This attack utilizes XQuery to probe and attack server systems; in a
similar manner that SQL Injection allows an attacker to exploit SQL calls to
RDBMS, XQuery Injection uses improperly validated data that is passed to
XQuery commands to traverse and execute commands that the XQuery routines
have access to. XQuery injection can be used to enumerate elements on the
victim's environment, inject commands to the local host, or execute queries
to remote files and data sources.
Attack Execution Flow
Explore
Survey the application for
user-controllable inputs:
Using a browser or an automated tool, an attacker
follows all public links and actions on a web site.
He records all the links, the forms, the resources
accessed and all other potential entry-points for
the web application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a spidering tool to follow and record
all links and analyze the web pages to find entry
points. Make special note of any links that
include parameters in the URL.
env-Web
2
Use a proxy tool to record all user input
entry points visited during a manual traversal of
the web application.
env-Web
3
Use a browser to manually explore the
website and analyze how it is constructed. Many
browsers' plugins are available to facilitate the
analysis or automate the discovery.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Inputs are used by the application or the
browser (DOM)
env-Web
2
Inconclusive
Using URL rewriting, parameters may be part
of the URL path.
env-Web
3
Inconclusive
No parameters appear to be used on the
current page. Even though none appear, the web
application may still use them if they are
provided.
env-Web
4
Negative
Applications that have only static pages or
that simply present information without accepting
input are unlikely to be susceptible.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
A list of URLs, with their
corresponding parameters (POST, GET, COOKIE, etc.)
is created by the attacker.
2
Success
A list of application user
interface entry fields is created by the
attacker.
3
Success
A list of resources accessed by
the application is created by the
attacker.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Use CAPTCHA to prevent
the use of the application by an automated
tool.
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Experiment
Determine user-controllable input
susceptible to injection:
Determine the user-controllable input susceptible
to injection. For each user-controllable input that
the attacker suspects is vulnerable to XQL
injection, attempt to inject characters that have
special meaning in XQL. The goal is to create an XQL
query with an invalid syntax.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use web browser to inject input through text
fields or through HTTP GET parameters.
env-Web
2
Use a web application debugging tool such as
Tamper Data, TamperIE, WebScarab,etc. to modify
HTTP POST parameters, hidden fields, non-freeform
fields, etc.
At least one user-controllable
input susceptible to injection
found.
2
Failure
No user-controllable input
susceptible to injection
found.
Security Controls
ID
type
Security Control Description
1
Detective
Search for and alert
on unexpected XQL keywords in application
logs.
2
Preventative
Input validation of
user-controlled data before including it in an XQL
query
Exploit
Information
Disclosure:
The attacker crafts and injects an XQuery payload
which is acted on by an XQL query leading to
inappropriate disclosure of information.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Leveraging one of the vulnerable inputs
identified during the Experiment phase, inject
malicious XQuery payload. The payload aims to get
information on the structure of the underlying XML
database and/or the content in it.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker gets information
from the XML database.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor server logs
for suspicious XQuery
requests.
2
Preventative
Use appropriate input
validation to filter XQL syntax in
user-controllable
inputs.
3
Preventative
Do not use
user-controllable input as part of XQL
queries.
Manipulate the data in the XML
database:
The attacker crafts and injects an XQuery payload
which is acted on by an XQL query leading to
modification of application data.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Leveraging one of the vulnerable inputs
identified during the Experiment phase, inject
malicious XQuery payload.. The payload tries to
insert or replace data in the XML database.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker gets the XQuery
engine to insert or modify data in the database.
This is mainly used to either insert wrong data or
to insert persistent attack payloads (XSS for
instance) that will be sent to other users'
browser.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor server logs
for consecutive suspicious request to the XML
database.
2
Preventative
Use appropriate input
validation to filter XQL syntax in
user-controllable
inputs.
3
Preventative
Do not use
user-controllable input as part of XQL
queries.
Attack Prerequisites
The XQL must execute unvalidated data
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
An attacker can pass XQuery expressions embedded in otherwise standard
XML documents. Like SQL injection attacks, the attacker tunnels through
the applicaiton entry point to target the resource access layer. The
string below is an example of an attacker accessing the accounts.xml to
request the service provider send all user names back.
doc(accounts.xml)//user[Name='*']
The attacks that are possible through Xquery are difficult to predict,
if the data is not validated prior to executing the XQL.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Basic understanding of XQuery
Solutions and Mitigations
Design: Perform input white list validation on all XML input
Implementation: Run xml parsing and query infrastructure with minimal
privileges so that an attacker is limited in their ability to probe other
system resources from xql.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
