XML Injection Attack

From Guidance Share

Jump to: navigation, search

Description

Attacker builds XML from malicious input. (check xpath injection attacks)

Vulnerabilities

Inappropriate or lacking schema validation
Dynamic XML generation using untrusted input

Countermeasures

Validate schema against a defined XSD
Perform context-sensitive encoding of untrusted input using an encoding library (e.g., IOSec)
Untrusted input should be validated against an inclusion list before use (e.g., RegEx pattern, primitive type casting, domain constraint, etc.)

Retrieved from "http://www.guidanceshare.com/wiki/XML_Injection_Attack"

Views

Personal tools

Log in / create account

Search

Toolbox