CAPEC-146 Detail

CAPEC-146

Name

XML Schema Poisoning

Likihood attacks

Low

Typical Severity

High

Status

Stable

Published

2014-06-23
00h00 +00:00

Modified

2022-09-29
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.

Informations CAPEC

Execution Flow

1) Explore

[Determine if XML schema is local or remote] Because this attack differs slightly if the target uses remote XML schemas versus local schemas, the adversary first needs to determine which of the two are used.

2) Experiment

[Gain access to XML schema] The adversary gains access to the XML schema so that they can modify the contents.

Technique

For a local scenario, the adversary needs access to the machine that the schema is located on and needs to gain permissions to alter the contents of the file.
For a remote scenario, the adversary needs to be able to sniff HTTP traffic that contains an XML schema.

3) Exploit

[Poison XML schema] Once the adversary gains access to the XML schema, they will alter it to achieve a desired effect. Locally, they can simply modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.

Technique

Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing. For example, the unaltered schema may require a @name attribute in all submitted documents. If the adversary removes this attribute from the schema then documents created using the new grammar may lack this field, which may cause the processing application to enter an unexpected state or record incomplete data.
Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field.
Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B).

Prerequisites

Some level of access to modify the target schema.
The schema used by the target application must be improperly secured against unauthorized modification and manipulation.

Resources Required

Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema.

Mitigations

Design: Protect the schema against unauthorized modification.
Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.
Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.

Related Weaknesses

CWE-ID	Weakness Name
CWE-15	External Control of System or Configuration Setting One or more system settings or configuration elements can be externally controlled by a user.
CWE-472	External Control of Assumed-Immutable Web Parameter The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2017-01-09 +00:00	Updated Description Summary
CAPEC Content Team	The MITRE Corporation	2018-07-31 +00:00	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Description
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Example_Instances
CAPEC Content Team	The MITRE Corporation	2021-10-21 +00:00	Updated Description, Execution_Flow
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Example_Instances