By sending specially crafted malformed XML, an attacker might be able to crash a vulnerable server or even execute arbitrary commands on the server.
1.1. Typical real-world attack
The goal of an attack is usually to provoke the target server to expose sensitive information or crash. One example of could be:
1.2. What it does
The Malformed XML Security Scan will send alter the target request by inserting malformed XML snippets, leaving elements or attributes open, add non-defined attributes, etc.
Start by specifying which parameters that soapUI should malform by using the Add, Remove, Copy, Clone and Extract all buttons . The Extract all button will extract all non-empty parameters from the tested request.
Then add assertions using the controls at the bottom of the window that checks if the injection succeeded. Some assertions that would typically make sense for the Malformed XML is:
- Schema Compliance, to make sure that the server response is not malformed.
- Sensitive Information Exposure, to make sure that no server internals are exposed (e.g. via stacktraces if the server crashes).
These assertions will be added/suggested automatically if the Security Test is generated by the Security Test Wizard in ReadyAPI.
The Strategy tab lets you configure how soapUI should combine attacks on multiple parameters and how long it should wait between each request:
- The One by One strategy iteratively tests each malicious value for each selected parameter, leaving all parameters but the currently tested at their original value.
- The All at Once strategy iterates through the list of malicious values just once, applying the same malicious value to all selected parameters.
From the Advanced tab you can review and edit the list of malicious strings used by the scan.
3. Further reading
Read more about XML bombs and how to protect yourself at the following websites: