CAPEC-84 - XQuery Injection

This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Scopes 4
  • Modify application data
  • Integrity
  • Read application data
  • Confidentiality
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality

Low level: Basic understanding of XQuery

The XQL must execute unvalidated data

Step 1 - Survey the application for user-controllable inputs

Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application..

Tecnique ID: 1 - Environment(s) env-Web

Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.

Tecnique ID: 2 - Environment(s) env-Web

Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.

Tecnique ID: 3 - Environment(s) env-Web

Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

Inputs are used by the application or the browser (DOM)

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

Using URL rewriting, parameters may be part of the URL path.

Indicator ID: 3 - Environment(s) env-Web

Type: Inconclusive

No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.

Indicator ID: 4 - Environment(s) env-Web

Type: Negative

Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).

Security Control ID: 2

Type: Detective

Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.

Security Control ID: 3

Type: Preventative

Use CAPTCHA to prevent the use of the application by an automated tool.

Security Control ID: 4

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be automated.


Outcome ID: 1

Type: Success

A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.

Outcome ID: 2

Type: Success

A list of application user interface entry fields is created by the attacker.

Outcome ID: 3

Type: Success

A list of resources accessed by the application is created by the attacker.



Step 1 - Determine user-controllable input susceptible to injection

Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax..

Tecnique ID: 1 - Environment(s) env-Web

Use web browser to inject input through text fields or through HTTP GET parameters.

Tecnique ID: 2 - Environment(s) env-Web

Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.

Tecnique ID: 3 - Environment(s) env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Use XML files to inject input.

Tecnique ID: 4 - Environment(s) env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Use network-level packet injection tools such as netcat to inject input

Tecnique ID: 5 - Environment(s) env-ClientServer env-Peer2Peer env-CommProtocol

Use modified client (modified by reverse engineering) to inject input.

Indicator ID: 1 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Negative

Attacker receives normal response from server.

Indicator ID: 2 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Positive

Attacker receives an error message from server indicating that there was a problem with the XQL query.

Indicator ID: 3 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Negative

Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)


Security Control ID: 1

Type: Detective

Search for and alert on unexpected XQL keywords in application logs.

Security Control ID: 2

Type: Preventative

Input validation of user-controlled data before including it in an XQL query


Outcome ID: 1

Type: Success

At least one user-controllable input susceptible to injection found.

Outcome ID: 2

Type: Failure

No user-controllable input susceptible to injection found.



Step 1 - Information Disclosure

The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information..

Tecnique ID: 1 - Environment(s) env-Web

Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it.

Security Control ID: 1

Type: Detective

Monitor server logs for suspicious XQuery requests.

Security Control ID: 2

Type: Preventative

Use appropriate input validation to filter XQL syntax in user-controllable inputs.

Security Control ID: 3

Type: Preventative

Do not use user-controllable input as part of XQL queries.


Outcome ID: 1

Type: Success

The attacker gets information from the XML database.


Step 2 - Manipulate the data in the XML database

The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data..

Tecnique ID: 1 - Environment(s) env-Web

Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database.

Security Control ID: 1

Type: Detective

Monitor server logs for consecutive suspicious request to the XML database.

Security Control ID: 2

Type: Preventative

Use appropriate input validation to filter XQL syntax in user-controllable inputs.

Security Control ID: 3

Type: Preventative

Do not use user-controllable input as part of XQL queries.


Outcome ID: 1

Type: Success

The attacker gets the XQuery engine to insert or modify data in the database. This is mainly used to either insert wrong data or to insert persistent attack payloads (XSS for instance) that will be sent to other users' browser.



Design: Perform input white list validation on all XML input

Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQL.