XML Injection Attack

From Guidance Share

Revision as of 04:26, 6 August 2007; GardenTender (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Jump to: navigation, search

Description

Attacker builds XML from malicious input. (check xpath injection attacks)


Vulnerabilities

  • Inappropriate or lacking schema validation
  • Dynamic XML generation using untrusted input


Countermeasures

  • Validate schema against a defined XSD
  • Perform context-sensitive encoding of untrusted input using an encoding library (e.g., IOSec)
  • Untrusted input should be validated against an inclusion list before use (e.g., RegEx pattern, primitive type casting, domain constraint, etc.)
Personal tools