CAPEC-279: SOAP Manipulation
Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an XML-based protocol, and therefore suffers from many of the same shortcomings as other XML-based protocols. Adversaries can make use of these shortcomings and manipulate the content of SOAP paramters, leading to undesirable behavior on the server and allowing the adversary to carry out a number of further attacks.
Last updated
Overview
CAPEC-279 (SOAP Manipulation) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Exploit
[Find target application] The adversary needs to identify an application that uses SOAP as a communication protocol.
- Observe HTTP traffic to an application and look for SOAP headers.
- Step 2Experiment
[Detect Incorrect SOAP Parameter Handling] The adversary tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.
- Send more data than would seem reasonable for a field and see if the server complains.
- Send nonsense data in a field that expects a certain subset, such as product names or sequence numbers, and see if the server complains.
- Send XML metacharacters as data and see how the server responds.
- Step 3Exploit
[Manipulate SOAP parameters] The adversary manipulates SOAP parameters in a way that causes undesirable behavior for the server. This can result in denial of service, information disclosure, arbitrary code exection, and more.
- Create a recursive XML payload that will take up all of the memory on the server when parsed, resulting in a denial of service. This is known as the billion laughs attack.
- Insert XML metacharacters into data fields that could cause the server to go into an error state when parsing. This could lead to a denial of service.
- Insert a large amount of data into a field that should have a character limit, causing a buffer overflow.
What the attacker needs
Prerequisites
- An application uses SOAP-based web service api.
- An application does not perform sufficient input validation to ensure that user-controllable data is safe for an XML parser.
- The targeted server either fails to verify that data in SOAP messages conforms to the appropriate XML schema, or it fails to correctly handle the complete range of data allowed by the schema.
Consequences
What a successful CAPEC-279 attack can achieve.
Resource Consumption
Affects: Availability
Read Data
Affects: Confidentiality
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
Frequently asked questions
Common questions about CAPEC-279.
- What is CAPEC-279?
- Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an XML-based protocol, and therefore suffers from many of the same shortcomings as other XML-based protocols. Adversaries can make use of these shortcomings and manipulate the content of SOAP paramters, leading to undesirable behavior on the server and allowing the adversary to carry out a number of further attacks.
- How does a SOAP Manipulation attack work?
- It typically unfolds over 3 phases. It begins with: [Find target application] The adversary needs to identify an application that uses SOAP as a communication protocol.
- What weaknesses does CAPEC-279 target?
- CAPEC-279 exploits 1 CWE weakness, including CWE-707 (Improper Neutralization).
- How severe is CAPEC-279?
- MITRE rates CAPEC-279 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-279
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.