Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Consider the following XML schema.

Code Block
&lt;users&gt;<users>
  &lt;user&gt;<user>
    &lt;login&gt;Utah&lt;/login&gt;<login>Utah</login>
    &lt;password&gt;C^f3&lt;/password&gt;<password>C^f3</password>
  &lt;/user&gt;</user>
  &lt;user&gt;<user>
    &lt;login&gt;Bohdi&lt;/login&gt;<login>Bohdi</login>
    &lt;password&gt;C@fe&lt;/password&gt;<password>C@fe</password>
  &lt;/user&gt;</user>
  &lt;user&gt;<user>
    &lt;login&gt;Busey&lt;/login&gt;<login>Busey</login>
    &lt;password&gt;cAf3&lt;/password&gt;<password>cAf3</password>
  &lt;/user&gt;
&lt;/users&gt;</user>
</users>

Untrusted code may attempt to retrieve user details from this file with an XPath statement constructed dynamically from user input.

Code Block
str_query = &quot;"//users/user[LoginID/text()= &quot;" &amp; login &amp; 
            &quot;" and password/text()=&quot;" &amp; password &amp; &quot;]&quot;"]"

An attacker may specify input such as, login = ' or 1=1 and password = ' or 1=1, yielding the following query string.

...

Code Block
bgColor#FFcccc
class XpathInjection {
  private boolean doLogin(String loginID, String password)
    throws ParserConfigurationException, SAXException,IOException, XPathExpressionException {

    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
    domFactory.setNamespaceAware(true);
    DocumentBuilder builder = domFactory.newDocumentBuilder();
    Document doc = builder.parse(&quot;"users.xml&quot;");

    XPathFactory factory = XPathFactory.newInstance();
    XPath xpath = factory.newXPath();
    XPathExpression expr = xpath.compile(&quot;"//users/user[login/text()='&quot;" + 
         loginID +&quot;'&quot;"'" + &quot;"and password/text()='&quot;"+password+&quot;"' ]&quot;");
    Object result = expr.evaluate(doc, XPathConstants.NODESET);
    NodeList nodes = (NodeList) result;
   
    // Print first names to the console 
    for (int i = 0; i &lt;< nodes.getLength(); i++) {
      System.out.println(nodes.item(i).getNodeValue());}       
         
    return (nodes.getLength() &gt;>= 1);
  }
}

Compliant Solution

...

Code Block
bgColor#ccccff

Document doc = new Builder().build(&quot;"users.xml&quot;");
XQuery xquery = new XQueryFactory().createXQuery(new File(&quot;"login.xry&quot;"));

Map queryVars= new HashMap();

queryVars.put(&quot;loginid&quot;"loginid", &quot;Utah&quot;"Utah"); // user name hardcoded for illustrative purposes
queryVars.put(&quot;password&quot;"password", &quot;securecoding&quot;"securecoding"); // password hardcoded for illustrative purposes 

Nodes results = xquery.execute(doc, null, queryVars).toNodes();

for (int i=0; i &lt;< results.size(); i++) {
  System.out.println(results.get(i).toXML());
}

...

Wiki Markup
\[[Fortify 08|AA. Java References#Fortify 08]\] &quot;"Input Validation and Representation: XML Injection&quot;"
\[[Sen 07|AA. Java References#Sen 07]\]
\[[Sun 06|AA. Java References#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]
\[[OWASP 05|AA. Java References#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 643|http://cwe.mitre.org/data/definitions/247.html] &quot;"Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')&quot;"

...

IDS05-J. Prevent XML Injection&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;49. Miscellaneous (MSC)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;      10. Input Validation and Data Sanitization (IDS)      IDS07-J. Understand how escape characters are interpreted when String literals are compiled