New to CAPEC? Start Here
Home > CAPEC List > CAPEC-279: SOAP Manipulation (Version 3.6)  

CAPEC-279: SOAP Manipulation

Attack Pattern ID: 279
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an XML-based protocol, and therefore suffers from many of the same shortcomings as other XML-based protocols. Adversaries can make use of these shortcomings and manipulate the content of SOAP paramters, leading to undesirable behavior on the server and allowing the adversary to carry out a number of further attacks.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.278Web Services Protocol Manipulation
CanPrecedeDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.110SQL Injection through SOAP Parameter Tampering
CanPrecedeDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.228DTD Injection
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Experiment
  1. Detect Incorrect SOAP Parameter Handling: The adversary tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.

    Techniques
    Send more data than would seem reasonable for a field and see if the server complains.
    Send nonsense data in a field that expects a certain subset, such as product names or sequence numbers, and see if the server complains.
    Send XML metacharacters as data and see how the server responds.
Exploit
  1. Find target application: The adversary needs to identify an application that uses SOAP as a communication protocol.

    Techniques
    Observe HTTP traffic to an application and look for SOAP headers.
  2. Manipulate SOAP parameters: The adversary manipulates SOAP parameters in a way that causes undesirable behavior for the server. This can result in denial of service, information disclosure, arbitrary code exection, and more.

    Techniques
    Create a recursive XML payload that will take up all of the memory on the server when parsed, resulting in a denial of service. This is known as the billion laughs attack.
    Insert XML metacharacters into data fields that could cause the server to go into an error state when parsing. This could lead to a denial of service.
    Insert a large amount of data into a field that should have a character limit, causing a buffer overflow.
+ Prerequisites
An application uses SOAP-based web service api.
An application does not perform sufficient input validation to ensure that user-controllable data is safe for an XML parser.
The targeted server either fails to verify that data in SOAP messages conforms to the appropriate XML schema, or it fails to correctly handle the complete range of data allowed by the schema.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Availability
Resource Consumption
Confidentiality
Read Data
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
+ References
[REF-121] Navya Sidharth and Jigang Liu. "Intrusion Resistant SOAP Messaging with IAPF". IEEE. 2008-12. <http://ieeexplore.ieee.org/document/4780783/>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description, Description Summary, Examples-Instances, References, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
2020-12-17CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-10-21CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Execution_Flow
Previous Entry Names
Change DatePrevious Entry Name
2018-07-31Soap Manipulation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 21, 2021