An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
Description
Attack Execution Flow
3
1
Step 1
Explore[Survey the Target] Using a browser or an automated tool, an adversary records all instances of user-controllable input used to contruct XML queries
Use an automated tool to record all instances of user-controllable input used to contruct XML queries.
Use a browser to manually explore the website and analyze how the application processes inputs.
AI Translation
[Indaga sul Target] Utilizzando un browser o uno strumento automatizzato, un adversary registra tutte le istanze di input controllabili dall'utente usati per costruire query XML
Utilizza uno strumento automatizzato per registrare tutte le istanze di input controllabili dall'utente usati per costruire query XML.
Utilizza un browser per esplorare manualmente il sito web e analizzare come l'applicazione processa gli input.
Attack Techniques
-
Use an automated tool to record all instances of user-controllable input used to contruct XML queries.
-
Use a browser to manually explore the website and analyze how the application processes inputs.IT: Utilizza uno strumento automatizzato per registrare tutte le istanze di input controllabili dall'utente utilizzate per costruire query XML.
2
Step 2
Experiment[Determine the Structure of Queries] Using manual or automated means, test inputs found for XML weaknesses.
Use XML reserved characters or words, possibly with other input data to attempt to cause unexpected results and identify improper input validation.
AI Translation
[Determinare la Struttura delle Query] Utilizzare metodi manuali o automatizzati per testare gli input trovati per vulnerabilità XML.
Utilizzare caratteri o parole riservate XML, possibilmente con altri dati di input, per tentare di causare risultati inattesi e identificare una validazione degli input inadeguata.
Attack Techniques
-
Use XML reserved characters or words, possibly with other input data to attempt to cause unexpected results and identify improper input validation.
3
Step 3
Exploit[Inject Content into XML Queries] Craft malicious content containing XML expressions that is not validated by the application and is executed as part of the XML queries.
Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker.
AI Translation
[Inject Content into XML Queries] Creare contenuti dannosi contenenti espressioni XML che non vengono convalidati dall'applicazione e vengono eseguiti come parte delle query XML.
Utilizzare l'input manipolato per eseguire query inaspettate che possono divulgare informazioni sensibili del database all'attaccante.
Attack Techniques
-
Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker.
Mitigations
2
Strong Input Validation - All User-Controllable Input Must Be Validated And Filtered For Illegal Characters As Well As Content That Can Be Interpreted In The Context Of An Xml Data Or A Query.
Use Of Custom Error Pages - Attackers Can Glean Information About The Nature Of Queries From Descriptive Error Messages. Input Validation Must Be Coupled With Customized Error Pages That Inform About An Error Without Disclosing Information About The Database Or Application.
Consequences
Security Scopes Affected
Access Control
Authorization
Confidentiality
Potential Impacts
Gain Privileges
Read Data
Indicators
1
Too many exceptions generated by the application as a result of malformed queries
Relationships
Parent CAPECs
Resources Required
1
None: No specialized resources are required to execute this type of attack.