Detailedlikelihood: Highseverity: Very HighDraft

CAPEC-110SQL Injection through SOAP Parameter Tampering

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
Very High

Description

An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.

Related weaknesses· 2

CWE-89CWE-20

Related attack patterns· 2

CAPEC-66 (ChildOf)CAPEC-108 (CanPrecede)

Exploits2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-89100%live
WeaknessImproper Input Validationcwe-20100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
SOAP Manipulation
CAPEC
Web Services Protocol Manipulation
CAPEC
SQL Injection
CAPEC
XML Injection
CAPEC
DEPRECATED: SOAP Parameter Tampering
CAPEC
Parameter Injection
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.