CAPEC 84

Summary

Attack Execution Flow

1. Survey the application for user-controllable inputs:

   Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application.

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   1	Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.	env-Web
   2	Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.	env-Web
   3	Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.	env-Web

   Indicators

   ID	type	Indicator Description	Environments
   1	Positive	Inputs are used by the application or the browser (DOM)	env-Web
   2	Inconclusive	Using URL rewriting, parameters may be part of the URL path.	env-Web
   3	Inconclusive	No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.	env-Web
   4	Negative	Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.	env-Web

   Outcomes

   ID	type	Outcome Description
   1	Success	A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.
   2	Success	A list of application user interface entry fields is created by the attacker.
   3	Success	A list of resources accessed by the application is created by the attacker.

   Security Controls

   ID	type	Security Control Description
   1	Detective	Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
   2	Detective	Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
   3	Preventative	Use CAPTCHA to prevent the use of the application by an automated tool.
   4	Preventative	Actively monitor the application and either deny or redirect requests from origins that appear to be automated.

1. Determine user-controllable input susceptible to injection:

   Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax.

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   1	Use web browser to inject input through text fields or through HTTP GET parameters.	env-Web
   2	Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.	env-Web
   3	Use XML files to inject input.	env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol
   4	Use network-level packet injection tools such as netcat to inject input	env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol
   5	Use modified client (modified by reverse engineering) to inject input.	env-ClientServer env-Peer2Peer env-CommProtocol

   Indicators

   ID	type	Indicator Description	Environments
   1	Negative	Attacker receives normal response from server.	env-Web env-ClientServer env-Peer2Peer env-CommProtocol
   2	Positive	Attacker receives an error message from server indicating that there was a problem with the XQL query.	env-Web env-ClientServer env-Peer2Peer env-CommProtocol
   3	Negative	Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)	env-Web env-ClientServer env-Peer2Peer env-CommProtocol

   Outcomes

   ID	type	Outcome Description
   1	Success	At least one user-controllable input susceptible to injection found.
   2	Failure	No user-controllable input susceptible to injection found.

   Security Controls

   ID	type	Security Control Description
   1	Detective	Search for and alert on unexpected XQL keywords in application logs.
   2	Preventative	Input validation of user-controlled data before including it in an XQL query

1. Information Disclosure:

   The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information.

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   1	Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it.	env-Web

   Outcomes

   ID	type	Outcome Description
   1	Success	The attacker gets information from the XML database.

   Security Controls

   ID	type	Security Control Description
   1	Detective	Monitor server logs for suspicious XQuery requests.
   2	Preventative	Use appropriate input validation to filter XQL syntax in user-controllable inputs.
   3	Preventative	Do not use user-controllable input as part of XQL queries.

2. Manipulate the data in the XML database:

   The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data.

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   1	Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database.	env-Web

   Outcomes

   ID	type	Outcome Description
   1	Success	The attacker gets the XQuery engine to insert or modify data in the database. This is mainly used to either insert wrong data or to insert persistent attack payloads (XSS for instance) that will be sent to other users' browser.

   Security Controls

   ID	type	Security Control Description
   1	Detective	Monitor server logs for consecutive suspicious request to the XML database.
   2	Preventative	Use appropriate input validation to filter XQL syntax in user-controllable inputs.
   3	Preventative	Do not use user-controllable input as part of XQL queries.

Likelihood: High

Description

Skill or Knowledge Level: Low

Basic understanding of XQuery

Design: Perform input white list validation on all XML input

Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from xql.