Detailedlikelihood: Highseverity: Very HighDraft

CAPEC-84XQuery Injection

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
Very High

Description

This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.

Related weaknesses· 2

CWE-74CWE-707

Related attack patterns· 1

CAPEC-250 (ChildOf)

Exploits2

TypeTargetConfidenceTier
WeaknessImproper Neutralizationcwe-707100%live
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-74100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
XPath Injection
CAPEC
XML Injection
CAPEC
SQL Injection
CAPEC
XSS Through HTTP Query Strings
CAPEC
Command Injection
CAPEC
XSS Targeting Non-Script Elements
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.