SOAP Parameter Tampering
Attack Pattern ID: 280 (Detailed Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker sends a SOAP message where the field values are other than what the server is likely to expect in order to precipitate non-standard server behavior. In a SOAP message, parameters take the form of values within XML elements. The server will have an XML schema that indicates certain restrictions on these parameter values. For example, the server may expect a parameter to be a string with fewer than 10 characters, or a number less than 100. In a SOAP parameter tampering attack, an attacker either violates this schema, or takes advantage of flexibility within the schame (for example, a lack of a character limit) to provide parameters that a server might not expect. Examples of unexpected parameters include oversized data, data with different data types, inserting metacharacters within data, and sending contextually inappropriate data (for example, sending a non-existant product name in a product name field or using an our-of-order sequence number). Results of this attack can include information disclosure, denial of service, or even execution of arbitrary code.

+ Attack Prerequisites

The targeted server either fails to verify that data in SOAP messages conforms to the appropriate XML schema, or it fails to correctly handle the complete range of data allowed by the schema.

+ Resources Required

The attacker must be able to craft arbitrary SOAP messages and send them to the targeted server.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern279Soap Manipulation 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern110SQL Injection through SOAP Parameter Tampering 
Mechanism of Attack (primary)1000
+ References
Navya Sidharth and Jigang Liu. "Resistant SOAP Messaging with IAPF".