CAPEC-110: SQL Injection through SOAP Parameter Tampering

Description
An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
Extended Description

This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.

Severity :

Very High

Possibility :

High

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-66: SQL Injection SQL Injection CAPEC-108: Command Line Execution through SQL Injection Command Line Execution through SQL Injection CAPEC-279: SOAP Manipulation SOAP Manipulation
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • SOAP messages are used as a communication mechanism in the system
  • SOAP parameters are not properly validated at the service provider
  • The service provider does not properly utilize parameter binding when building SQL queries
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium If the attacker is able to gain good understanding of the system's database schema
  • High If the attacker has to perform Blind SQL Injection
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Visit http://capec.mitre.org/ for more details.