SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 81

changes.mady.by.user Fred Long

Saved on

compared with

New Version 82

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This attack is similar to SQL injection, (see VOID IDS07-J. Prevent SQL Injection) wherein an attacker can enter valid SQL constructs into the data fields of the query in use. Typically, the conditional field of the query resolves to a tautology or gives the attacker access to privileged information. This guideline is a specific example of the broadly scoped guideline void Filter data that passes through a trust boundary.

XML Path Injection Example

Consider the following XML schema.

...

This time, the '1'='1' tautology disables both login ID and password validation, and the attacker is falsely logged in without knowing a login ID or password.

Noncompliant Code Example

In this noncompliant code example, a user name and password is read from the user and used to construct the query string. The password is passed as a char array, and then hashed, all to comply with MSC05-J. Store passwords using a hash function and MSC10-J. Limit the lifetime of sensitive data.

...

Code Block
bgColor#FFcccc
private boolean doLogin(String loginID, char[] password)
  throws ParserConfigurationException, SAXException, IOException, XPathExpressionException {

  DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
  domFactory.setNamespaceAware(true);
  DocumentBuilder builder = domFactory.newDocumentBuilder();
  Document doc = builder.parse("users.xml");
  String pwd = hashPassword( password);

  XPathFactory factory = XPathFactory.newInstance();
  XPath xpath = factory.newXPath();
  XPathExpression expr = xpath.compile("//users/user[login/text()='" + 
       loginID + "' and password/text()='" + pwd + "' ]");
  Object result = expr.evaluate(doc, XPathConstants.NODESET);
  NodeList nodes = (NodeList) result;

  // Print first names to the console 
  for (int i = 0; i < nodes.getLength(); i++) {
    Node node = nodes.item(i).getChildNodes().item(1).getChildNodes().item(0);
    System.out.println( "Authenticated: " + node.getNodeValue());
  }

  return (nodes.getLength() >= 1);
}

Compliant Solution (XQuery)

XPath injection can be prevented by adopting defenses similar to those used to prevent SQL injection:

...

Wiki Markup
\[Prevention of XPath injection\] requires the following characters to be removed (ie prohibited) or properly escaped:

  • < > / ' = " to prevent straight parameter injection
  • XPath queries should not contain any meta characters (such as ' = * ? // or similar)
  • XSLT expansions should not contain any user input, or if they do, that you comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.

Risk Assessment

Failure to validate user input may result in information disclosure and execution of unprivileged code.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS09-J

medium

probable

medium

P8

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[Fortify 2008|AA. Bibliography#Fortify 08]\] "Input Validation and Representation: XML Injection"
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 643|http://cwe.mitre.org/data/definitions/247.html] "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"
\[[OWASP 2005|AA. Bibliography#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]
\[[Sen 2007|AA. Bibliography#Sen 07]\]
\[[Sun 2006|AA. Bibliography#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]

...