CAPEC-95

WSDL Scanning
High
High
Draft
2014-06-23
00h00 +00:00
2021-10-21
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.

Informations CAPEC

Execution Flow

1) Explore

[Scan for WSDL Documents] The adversary scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the adversary.

2) Experiment

[Analyze WSDL files] An adversary will analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The adversary could run through all of the operations with different message request patterns until a breach is identified.

3) Exploit

[Craft malicious content] Once an adversary finds a potential weakness, they can craft malicious content to be sent to the system. For instance the adversary may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the adversary may not be XML validated and cause unexpected behavior.

Prerequisites

A client program connecting to a web service can read the WSDL to determine what functions are available on the server.
The target host exposes vulnerable functions within its WSDL interface.

Skills Required

This attack can be as simple as reading WSDL and starting sending invalid request.
This attack can be used to perform more sophisticated attacks (SQL injection, etc.)

Mitigations

It is important to protect WSDL file or provide limited access to it.
Review the functions exposed by the WSDL interface (especially if you have used a tool to generate it). Make sure that none of them is vulnerable to injection.
Ensure the WSDL does not expose functions and APIs that were not intended to be exposed.
Pay attention to the function naming convention (within the WSDL interface). Easy to guess function name may be an entry point for attack.
Validate the received messages against the WSDL Schema. Incomplete solution.

Related Weaknesses

CWE-ID Weakness Name

CWE-538

 Insertion of Sensitive Information into Externally-Accessible File or Directory
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

References

REF-554

Anatomy of a Web Services Attack
Walid Negm.
https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf

REF-555

Seven Steps to XML Mastery
Frank Coyle.
http://www.informit.com/articles/article.aspx?p=601349

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated References
CAPEC Content Team The MITRE Corporation 2021-10-21 +00:00 Updated Execution_Flow