New to CAPEC? Start Here
Home > CAPEC List > CAPEC-271: Schema Poisoning (Version 3.9)  

CAPEC-271: Schema Poisoning

Attack Pattern ID: 271
Abstraction: Standard
View customized information:
+ Description
An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.176Configuration/Environment Manipulation
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.146XML Schema Poisoning
CanFollowMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.94Adversary in the Middle (AiTM)
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Find target application and schema: The adversary first finds the application that they want to target. This application must use schemas in some way, so the adversary also needs to confirm that schemas are being used.

    Techniques
    Gain access to the system that the application is on and look for a schema.
    Observe HTTP traffic to the application and look for a schema being transmitted.
Experiment
  1. Gain access to schema: The adversary gains access to the schema so that they can modify the contents.

    Techniques
    For a local scenario, the adversary needs access to the machine that the schema is located on and gain permissions to alter the contents of the schema file.
    For a remote scenario, the adversary needs to be able to perform an adversary in the middle attack on the HTTP traffic that contains a schema.
Exploit
  1. Poison schema: Once the adversary gains access to the schema, they will alter it to achieve a desired effect. Locally, they can just modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.

    Techniques
    Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing.
    Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field.
    Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B).
+ Prerequisites
Some level of access to modify the target schema.
The schema used by the target application must be improperly secured against unauthorized modification and manipulation.
+ Resources Required
Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Availability
Unreliable Execution
Resource Consumption
Integrity
Modify Data
Confidentiality
Read Data
+ Mitigations
Design: Protect the schema against unauthorized modification.
Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the schema document.
Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.
+ Example Instances

In a JSON Schema Poisoning Attack, an adervary modifies the JSON schema to cause a Denial of Service (DOS) or to submit malicious input:

{ "title": "Contact", "type": "object", "properties": { "Name": { "type": "string" }, "Phone": { "type": "string" }, "Email": { "type": "string" }, "Address": { "type": "string" } }, "required": ["Name", "Phone", "Email", "Address"] }

If the 'name' attribute is required in all submitted documents and this field is removed by the adversary, the application may enter an unexpected state or record incomplete data. Additionally, if this data is needed to perform additional functions, a Denial of Service (DOS) may occur.

In a Database Schema Poisoning Attack, an adversary alters the database schema being used to modify the database in some way. This can result in loss of data, DOS, or malicious input being submitted. Assuming there is a column named "name", an adversary could make the following schema change:

ALTER TABLE Contacts MODIFY Name VARCHAR(65353);

The "Name" field of the "Conteacts" table now allows the storing of names up to 65353 characters in length. This could allow the adversary to store excess data within the database to consume system resource or to execute a DOS.

+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-01-09
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Description Summary, Related_Attack_Patterns
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-10-21
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow, Related_Attack_Patterns
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances
2023-01-24
(Version 3.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018