CAPEC-279

SOAP Manipulation
Medium
High
Draft
2014-06-23
00h00 +00:00
2021-10-21
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an XML-based protocol, and therefore suffers from many of the same shortcomings as other XML-based protocols. Adversaries can make use of these shortcomings and manipulate the content of SOAP paramters, leading to undesirable behavior on the server and allowing the adversary to carry out a number of further attacks.

Informations CAPEC

Execution Flow

1) Exploit

[Find target application] The adversary needs to identify an application that uses SOAP as a communication protocol.

Technique
  • Observe HTTP traffic to an application and look for SOAP headers.
2) Experiment

[Detect Incorrect SOAP Parameter Handling] The adversary tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.

Technique
  • Send more data than would seem reasonable for a field and see if the server complains.
  • Send nonsense data in a field that expects a certain subset, such as product names or sequence numbers, and see if the server complains.
  • Send XML metacharacters as data and see how the server responds.
3) Exploit

[Manipulate SOAP parameters] The adversary manipulates SOAP parameters in a way that causes undesirable behavior for the server. This can result in denial of service, information disclosure, arbitrary code exection, and more.

Technique
  • Create a recursive XML payload that will take up all of the memory on the server when parsed, resulting in a denial of service. This is known as the billion laughs attack.
  • Insert XML metacharacters into data fields that could cause the server to go into an error state when parsing. This could lead to a denial of service.
  • Insert a large amount of data into a field that should have a character limit, causing a buffer overflow.

Prerequisites

An application uses SOAP-based web service api.
An application does not perform sufficient input validation to ensure that user-controllable data is safe for an XML parser.
The targeted server either fails to verify that data in SOAP messages conforms to the appropriate XML schema, or it fails to correctly handle the complete range of data allowed by the schema.

Related Weaknesses

CWE-ID Weakness Name

CWE-707

 Improper Neutralization
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

References

REF-121

Intrusion Resistant SOAP Messaging with IAPF
Navya Sidharth, Jigang Liu.
http://ieeexplore.ieee.org/document/4780783/

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description, Description Summary, Examples-Instances, References, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2021-10-21 +00:00 Updated Description, Example_Instances, Execution_Flow