Input Validation / XML Injection

Description

XML Injection, also known as XPath Injection, is an attack technique used to exploit web and application programming interfaces (APIs) that parse XML input. It is an input validation vulnerability in which XML code is injected into an XML document, usually through the input fields of a web application, in order to access unauthorized data or resources. XML injection can allow an attacker to bypass authorization and authentication mechanisms, access sensitive data, and even modify or delete data. As defined in the Common Weakness Enumeration (CWE) directory, XML injection is a type of "Improper Input Validation" (CWE-20). The OWASP Testing Guide recommends using a white-listing approach to defend against XML injection.

Risk

XML injection poses a significant risk to an organization. An attacker can gain access to unauthorized data and even modify or delete the data. This can lead to data theft, data loss, and data manipulation, resulting in financial loss, reputational damage, and even legal liabilities.

Solution

The best way to protect against XML injection is to use input validation and white-listing. This involves validating all input before it is processed. Input should be checked against a known valid list of values, and any input that does not match should be rejected. In addition, all input should be encoded to prevent malicious code from being executed.