XQuery Injection
Attack Pattern ID: 84 (Detailed Attack Pattern Completeness: Complete)Typical Severity: Very HighStatus: Draft
+ Description

Summary

This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.

Attack Execution Flow

Explore
  1. Survey the application for user-controllable inputs:

    Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.

    env-Web
    2

    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.

    env-Web
    3

    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

    env-Web

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    Inputs are used by the application or the browser (DOM)

    env-Web
    2Inconclusive

    Using URL rewriting, parameters may be part of the URL path.

    env-Web
    3Inconclusive

    No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.

    env-Web
    4Negative

    Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.

    env-Web

    Outcomes

    IDtypeOutcome Description
    1Success
    A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.
    2Success
    A list of application user interface entry fields is created by the attacker.
    3Success
    A list of resources accessed by the application is created by the attacker.

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
    2Detective
    Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
    3Preventative
    Use CAPTCHA to prevent the use of the application by an automated tool.
    4Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Experiment
  1. Determine user-controllable input susceptible to injection:

    Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use web browser to inject input through text fields or through HTTP GET parameters.

    env-Web
    2

    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.

    env-Web
    3

    Use XML files to inject input.

    env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    4

    Use network-level packet injection tools such as netcat to inject input

    env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    5

    Use modified client (modified by reverse engineering) to inject input.

    env-ClientServer env-Peer2Peer env-CommProtocol

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Negative

    Attacker receives normal response from server.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    2Positive

    Attacker receives an error message from server indicating that there was a problem with the XQL query.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    3Negative

    Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Outcomes

    IDtypeOutcome Description
    1Success
    At least one user-controllable input susceptible to injection found.
    2Failure
    No user-controllable input susceptible to injection found.

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Search for and alert on unexpected XQL keywords in application logs.
    2Preventative
    Input validation of user-controlled data before including it in an XQL query
Exploit
  1. Information Disclosure:

    The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it.

    env-Web

    Outcomes

    IDtypeOutcome Description
    1Success
    The attacker gets information from the XML database.

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Monitor server logs for suspicious XQuery requests.
    2Preventative
    Use appropriate input validation to filter XQL syntax in user-controllable inputs.
    3Preventative
    Do not use user-controllable input as part of XQL queries.
  2. Manipulate the data in the XML database:

    The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database.

    env-Web

    Outcomes

    IDtypeOutcome Description
    1Success
    The attacker gets the XQuery engine to insert or modify data in the database. This is mainly used to either insert wrong data or to insert persistent attack payloads (XSS for instance) that will be sent to other users' browser.

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Monitor server logs for consecutive suspicious request to the XML database.
    2Preventative
    Use appropriate input validation to filter XQL syntax in user-controllable inputs.
    3Preventative
    Do not use user-controllable input as part of XQL queries.
+ Attack Prerequisites

The XQL must execute unvalidated data

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

An attacker can pass XQuery expressions embedded in otherwise standard XML documents. Like SQL injection attacks, the attacker tunnels through the applicaiton entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back.

doc(accounts.xml)//user[Name='*']

The attacks that are possible through Xquery are difficult to predict, if the data is not validated prior to executing the XQL.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Basic understanding of XQuery

+ Solutions and Mitigations

Design: Perform input white list validation on all XML input

Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from xql.

+ Attack Motivation-Consequences
  • Data Modification
  • Information Leakage
  • Privilege Escalation
  • Run Arbitrary Code
+ Injection Vector

XML-capable system interfaces

+ Payload

XQuery syntax

+ Activation Zone

XQL commands

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
74Failure to Sanitize Data into a Different Plane ('Injection')Targeted
713OWASP Top Ten 2007 Category A2 - Injection FlawsTargeted
707Improper Enforcement of Message or Data StructureTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern250XML Injection 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory379WASC Threat Classification 2.0 - WASC-46 - XQuery Injection 
WASC Threat Classification 2.0333
+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
Client-Server
SOA
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterDateComments
Gunnar Peterson2007-02-28
Modifications
ModifierOrganizationDateComments
Sean BarnumCigital, Inc2007-03-07Review and revise
Romain GaucherCigital, Inc2009-02-10Created draft content for detailed description
Sean BarnumCigital Federal, Inc2009-04-13Reviewed and revised content for detailed description