Dark Mode
Capec-271 Detail
Schema Poisoning
Standard Software Likelihood: Low Typical Severity: High
Parents: 176
Children: 146
Threats: T62 T68 T274 T297 T393
An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-271 | capec | https://capec.mitre.org/data/definitions/271.html | |
| CWE-15 | cwe | http://cwe.mitre.org/data/definitions/15.html |
Explore
-
Find target application and schema: The adversary first finds the application that they want to target. This application must use schemas in some way, so the adversary also needs to confirm that schemas are being used.
| Techniques |
|---|
| Gain access to the system that the application is on and look for a schema. |
| Observe HTTP traffic to the application and look for a schema being transmitted. |
Experiment
-
Gain access to schema: The adversary gains access to the schema so that they can modify the contents.
| Techniques |
|---|
| For a local scenario, the adversary needs access to the machine that the schema is located on and gain permissions to alter the contents of the schema file. |
| For a remote scenario, the adversary needs to be able to perform an adversary in the middle attack on the HTTP traffic that contains a schema. |
Exploit
-
Poison schema: Once the adversary gains access to the schema, they will alter it to achieve a desired effect. Locally, they can just modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.
| Techniques |
|---|
| Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing. |
| Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field. |
| Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B). |
- Some level of access to modify the target schema.
- The schema used by the target application must be improperly secured against unauthorized modification and manipulation.
- Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema.
Not present
| Integrity | Availability | Confidentiality |
|---|---|---|
| Modify Data | Unreliable Execution (A successful schema poisoning attack can compromise the availability of the target system's service by exhausting its available resources.) | Read Data |
| Resource Consumption (A successful schema poisoning attack can compromise the availability of the target system's service by exhausting its available resources.) |
- In a JSON Schema Poisoning Attack, an adervary modifies the JSON schema to cause a Denial of Service (DOS) or to submit malicious input: { "title": "Contact", "type": "object", "properties": { "Name": { "type": "string" }, "Phone": { "type": "string" }, "Email": { "type": "string" }, "Address": { "type": "string" } }, "required": ["Name", "Phone", "Email", "Address"] } If the 'name' attribute is required in all submitted documents and this field is removed by the adversary, the application may enter an unexpected state or record incomplete data. Additionally, if this data is needed to perform additional functions, a Denial of Service (DOS) may occur.
- In a Database Schema Poisoning Attack, an adversary alters the database schema being used to modify the database in some way. This can result in loss of data, DOS, or malicious input being submitted. Assuming there is a column named "name", an adversary could make the following schema change: ALTER TABLE Contacts MODIFY Name VARCHAR(65353); The "Name" field of the "Conteacts" table now allows the storing of names up to 65353 characters in length. This could allow the adversary to store excess data within the database to consume system resource or to execute a DOS.