CAPEC-54: Query System for Information

Description

An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

Extended Description

XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Severity :

Low

Possibility :

High

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-95: WSDL Scanning WSDL Scanning CAPEC-116: Excavation Excavation CAPEC-127: Directory Indexing Directory Indexing CAPEC-215: Fuzzing for application mapping Fuzzing for application mapping CAPEC-261: Fuzzing for garnering other adjacent user/sensitive data Fuzzing for garnering other adjacent user/sensitive data CAPEC-462: Cross-Domain Search Timing Cross-Domain Search Timing

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

This class of attacks does not strictly require authorized access to the application. As Attackers use this attack process to classify, map, and identify vulnerable aspects of an application, it simply requires hypotheses to be verified, interaction with the application, and time to conduct trial-and-error activities.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Medium Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-209: Generation of Error Message Containing Sensitive Information

Visit http://capec.mitre.org/ for more details.