CAPEC-146: XML Schema Poisoning
An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.
Last updated
Overview
CAPEC-146 (XML Schema Poisoning) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine if XML schema is local or remote] Because this attack differs slightly if the target uses remote XML schemas versus local schemas, the adversary first needs to determine which of the two are used.
- Step 2Experiment
[Gain access to XML schema] The adversary gains access to the XML schema so that they can modify the contents.
- For a local scenario, the adversary needs access to the machine that the schema is located on and needs to gain permissions to alter the contents of the file.
- For a remote scenario, the adversary needs to be able to sniff HTTP traffic that contains an XML schema.
- Step 3Exploit
[Poison XML schema] Once the adversary gains access to the XML schema, they will alter it to achieve a desired effect. Locally, they can simply modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.
- Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing. For example, the unaltered schema may require a @name attribute in all submitted documents. If the adversary removes this attribute from the schema then documents created using the new grammar may lack this field, which may cause the processing application to enter an unexpected state or record incomplete data.
- Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field.
- Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B).
What the attacker needs
Prerequisites
- Some level of access to modify the target schema.
- The schema used by the target application must be improperly secured against unauthorized modification and manipulation.
Resources required
- Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema.
Consequences
What a successful CAPEC-146 attack can achieve.
Unreliable Execution, Resource Consumption
Affects: Availability
A successful schema poisoning attack can compromise the availability of the target system's service by exhausting its available resources.
Modify Data
Affects: Integrity
Read Data
Affects: Confidentiality
How to mitigate it
Defenses that reduce the risk of CAPEC-146.
- Design: Protect the schema against unauthorized modification.
- Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.
- Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.
Examples
XML Schema Poisoning Attacks can often occur locally due to being embedded within the XML document itself or being located on the host within an improperaly protected file. In these cases, the adversary can simply edit the XML schema without the need for additional privileges. An example of the former can be seen below: ]> John Smith 555-1234 jsmith@email.com 1 Example Lane If the 'name' attribute is required in all submitted documents and this field is removed by the adversary, the application may enter an unexpected state or record incomplete data. Additionally, if this data is needed to perform additional functions, a Denial of Service (DOS) may occur.
XML Schema Poisoning Attacks can also be executed remotely if the HTTP protocol is being used to transport data. : John Smith 555-1234 jsmith@email.com 1 Example Lane The HTTP protocol does not encrypt the traffic it transports, so all communication occurs in plaintext. This traffic can be observed and modified by the adversary during transit to alter the XML schema before it reaches the end user. The adversary can perform a Adversary-in-the-Middle (CAPEC-94) Attack to alter the schema in the same way as the previous example and to acheive the same results.
Frequently asked questions
Common questions about CAPEC-146.
- What is CAPEC-146?
- An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.
- How does a XML Schema Poisoning attack work?
- It typically unfolds over 3 phases. It begins with: [Determine if XML schema is local or remote] Because this attack differs slightly if the target uses remote XML schemas versus local schemas, the adversary first needs to determine which of the two are used.
- How do you prevent CAPEC-146?
- Design: Protect the schema against unauthorized modification.
- What weaknesses does CAPEC-146 target?
- CAPEC-146 exploits 2 CWE weaknesses, including CWE-15 (External Control of System or Configuration Setting), CWE-472 (External Control of Assumed-Immutable Web Parameter).
- How severe is CAPEC-146?
- MITRE rates CAPEC-146 as High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-146
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.