CAPEC-250 - XML Injection

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Sec Principles 3
  • Reluctance to Trust
  • Failing Securely
  • Defense in Depth
  • Scopes 2
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Read application data
  • Confidentiality

Low level: An attacker must have knowledge of XML syntax and constructs in order to successfully leverage XML Injection

XML queries used to process user input and retrieve information stored in XML documents

User-controllable input not properly sanitized

None

The attacker tries to inject characters that can cause an error, such as single-quote (') or equal sign (=), or content that may cause a malformed XML expression. If the injection of such content into the input causes an XPath error and the resulting error is displayed unfiltered, the attacker can begin to determine the nature of input validation and structure of XPath expressions used in queries.

Never Use Input as Part of a Directive to any Internal Component

Handle All Errors Safely

Step 1 - Survey Application

.

Tecnique ID: 1 - Environment(s) env-Web

Spider web sites for all available links.

Tecnique ID: 2 - Environment(s) env-ClientServer env-Peer2Peer env-CommProtocol

Gather results for analysis via responses or network sniffing.

Outcome ID: 1

Type: Success

At least one data input to application identified.

Outcome ID: 2

Type: Failure

No inputs to application identified, although this does not mean the application will not accept any.



Step 1 - Test user-controllable inputs for injection

.

Tecnique ID: 1 - Environment(s) env-Web

Use XML reserved characters or words, possibly with other input data to attempt to cause unexpected results

Indicator ID: 1 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Negative

Attacker receives normal response from server.

Indicator ID: 2 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Positive

Attacker receives an error message from server indicating that there was a problem with the SQL query.

Indicator ID: 3 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Negative

Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)


Outcome ID: 1

Type: Success

At least one user-controllable input susceptible to injection found.

Outcome ID: 2

Type: Failure

No user-controllable input susceptible to injection found.



Special characters in user-controllable input must be escaped before use by the application.

Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database.

Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XML data or a query.
Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.