Malformed XML


1. Introduction

By sending specially crafted malformed XML, an attacker might be able to crash a vulnerable server or even execute arbitrary commands on the server.

1.1. Typical real-world attack

The goal of an attack is usually to provoke the target server to expose sensitive information or crash. One example of could be:


1.2. What it does

The Malformed XML Security Scan will send alter the target request by inserting malformed XML snippets, leaving elements or attributes open, add non-defined attributes, etc.

2. Usage

Start by specifying which parameters that soapUI should malform by using the Add, Remove, Copy, Clone and Extract all buttons 1_snag_evi. The Extract all button will extract all non-empty parameters from the tested request.

Then add assertions using the controls at the bottom of the window 5_snag_evi that checks if the injection succeeded. Some assertions that would typically make sense for the Malformed XML is:

  • Schema Compliance, to make sure that the server response is not malformed.
  • Sensitive Information Exposure, to make sure that no server internals are exposed (e.g. via stacktraces if the server crashes).

These assertions will be added/suggested automatically if the Security Test is generated by the Security Test Wizard in ReadyAPI.

2.1. Configuration

The Strategy tab 3_snag_evi lets you configure how soapUI should combine attacks on multiple parameters and how long it should wait between each request:

  • The One by One strategy iteratively tests each malicious value for each selected parameter, leaving all parameters but the currently tested at their original value.
  • The All at Once strategy iterates through the list of malicious values just once, applying the same malicious value to all selected parameters.

From the Advanced tab 4_snag_evi you can review and edit the list of malicious strings used by the scan.

2.2. Example

3. Further reading

Read more about XML bombs and how to protect yourself at the following websites: