Dark Mode
Capec-95 Detail
WSDL Scanning
Detailed Software Likelihood: High Typical Severity: High
Parents: 54
Threats: T291
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-95 | capec | https://capec.mitre.org/data/definitions/95.html | |
| CWE-538 | cwe | http://cwe.mitre.org/data/definitions/538.html | |
| REF-554 | reference_from_CAPEC | https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf | Walid Negm, Anatomy of a Web Services Attack, 2004--03---01, ForumSystems |
| REF-555 | reference_from_CAPEC | http://www.informit.com/articles/article.aspx?p=601349 | Frank Coyle, Seven Steps to XML Mastery, 2006--08---25 |
Explore
-
Scan for WSDL Documents: The adversary scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the adversary.
Experiment
-
Analyze WSDL files: An adversary will analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The adversary could run through all of the operations with different message request patterns until a breach is identified.
Exploit
-
Craft malicious content: Once an adversary finds a potential weakness, they can craft malicious content to be sent to the system. For instance the adversary may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the adversary may not be XML validated and cause unexpected behavior.
- A client program connecting to a web service can read the WSDL to determine what functions are available on the server.
- The target host exposes vulnerable functions within its WSDL interface.
Not present
| Low | Medium |
|---|---|
| This attack can be as simple as reading WSDL and starting sending invalid request. | |
| This attack can be used to perform more sophisticated attacks (SQL injection, etc.) |
| Confidentiality |
|---|
| Read Data |
- A WSDL interface may expose a function vulnerable to SQL Injection.
- The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services. Because WSDL generation often is automated, enterprising adversaries can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods. Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent adversary with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality. Source : "Seven Steps to XML Mastery, Step 7: Ensure XML Security", Frank Coyle. See reference section.