Input Validation / XML Injection
XML Injection, also known as XPath Injection, is an attack technique used to exploit web and application programming interfaces (APIs) that parse XML input. It is an input validation vulnerability in which XML code is injected into an XML document, usually through the input fields of a web application, in order to access unauthorized data or resources. XML injection can allow an attacker to bypass authorization and authentication mechanisms, access sensitive data, and even modify or delete data. As defined in the Common Weakness Enumeration (CWE) directory, XML injection is a type of "Improper Input Validation" (CWE-20). The OWASP Testing Guide recommends using a white-listing approach to defend against XML injection.
XML injection poses a significant risk to an organization. An attacker can gain access to unauthorized data and even modify or delete the data. This can lead to data theft, data loss, and data manipulation, resulting in financial loss, reputational damage, and even legal liabilities.
The best way to protect against XML injection is to use input validation and white-listing. This involves validating all input before it is processed. Input should be checked against a known valid list of values, and any input that does not match should be rejected. In addition, all input should be encoded to prevent malicious code from being executed.
The following code is an example of an XML injection vulnerability, taken from CVE-2019-17584. In this code, the web application uses user-supplied input in a query without any proper input validation.
String queryString = "SELECT * FROM customers WHERE id = "+ request.getParameter("customerId"); statement.executeQuery(queryString);
This code is vulnerable to XML injection because it does not validate the user-supplied input before it is used in the query. An attacker can inject malicious XML code into the query, allowing them to access unauthorized data or resources.