Dettaglio CAPEC-250

CAPEC-250

XML Injection
Alto
Draft
2014-06-23
00h00 +00:00
2022-02-22
00h00 +00:00
CAPEC Mitre.org
Avviso per un CAPEC specifico
Rimani informato su qualsiasi modifica relativa a un CAPEC specifico.
Gestione notifiche

Descrizioni CAPEC

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

Informazioni CAPEC

Flusso di esecuzione

1) Explore

[Survey the Target] Using a browser or an automated tool, an adversary records all instances of user-controllable input used to contruct XML queries

Tecnica
  • Use an automated tool to record all instances of user-controllable input used to contruct XML queries.
  • Use a browser to manually explore the website and analyze how the application processes inputs.
2) Experiment

[Determine the Structure of Queries] Using manual or automated means, test inputs found for XML weaknesses.

Tecnica
  • Use XML reserved characters or words, possibly with other input data to attempt to cause unexpected results and identify improper input validation.
3) Exploit

[Inject Content into XML Queries] Craft malicious content containing XML expressions that is not validated by the application and is executed as part of the XML queries.

Tecnica
  • Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker.

Prerequisiti

XML queries used to process user input and retrieve information stored in XML documents
User-controllable input not properly sanitized

Competenze richieste

An attacker must have knowledge of XML syntax and constructs in order to successfully leverage XML Injection

Risorse richieste

None: No specialized resources are required to execute this type of attack.

Mitigazioni

Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XML data or a query.
Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.

Vulnerabilità correlate

CWE-ID Nome della vulnerabilità

CWE-91

 XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

CWE-74

 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-20

 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-707

 Improper Neutralization
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Invio

Nome Organizzazione Data Data di rilascio
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifiche

Nome Organizzazione Data Commento
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated References, Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Mitigations, Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Execution_Flow
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.