|
|
|
|
Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)
| Attack Pattern ID | Pattern Abstraction: Detailed 84 | | Typical Severity | Very High | | Description | Summary
This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.
| | Attack Prerequisites | The XQL must execute unvalidated data | | Typical Likelihood of Exploit |
High
| | Methods of Attack | | | Examples-Instances | Description
An attacker can pass XQuery expressions embedded in otherwise standard XML documents. Like SQL injection attacks, the attacker tunnels through the applicaiton entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back.
doc(accounts.xml)//user[Name='*']
The attacks that are possible through Xquery are difficult to predict, if the data is not validated prior to executing the XQL.
| | Attacker Skill or Knowledge Required |
Low → Basic understanding of XQuery
| | Solutions and Mitigations |
Design: Perform input white list validation on all XML input
Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from xql.
| | Attack Motivation-Consequences | - Data Modification
- Information Leakage
- Privilege Escalation
- Run Arbitrary Code
| | Context Description |
| | Injection Vector |
XML-capable system interfaces
| | Payload |
XQuery syntax
| | Activation Zone |
XQL commands
| | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Targeted |
| | Purpose | Penetration Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| Client-Server | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Gunnar Peterson | | 2007-02-28 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-07 | Review and revise |
|
|
