Standardlikelihood: HighDraft

CAPEC-250XML Injection

Abstraction
Standard
Status
Draft
Likelihood
High

Description

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

Related weaknesses· 4

CWE-91CWE-74CWE-20CWE-707

Related attack patterns· 1

CAPEC-248 (ChildOf)

Exploits4

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-20100%live
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-74100%live
WeaknessImproper Neutralizationcwe-707100%live
WeaknessXML Injection (aka Blind XPath Injection)cwe-91100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
XPath Injection
CAPEC
XQuery Injection
CAPEC
SQL Injection
CAPEC
Command Injection
CAPEC
Resource Injection
CAPEC
XML Schema Poisoning
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.