Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Consider the following XML schema.

Code Block
<users>&lt;users&gt;
  <user>&lt;user&gt;
    <login>Utah</login>&lt;login&gt;Utah&lt;/login&gt;
    <password>C^f3</password>&lt;password&gt;C^f3&lt;/password&gt;
  </user>&lt;/user&gt;
  <user>&lt;user&gt;
    <login>Bohdi</login>&lt;login&gt;Bohdi&lt;/login&gt;
    <password>C@fe</password>&lt;password&gt;C@fe&lt;/password&gt;
  </user>&lt;/user&gt;
  <user>&lt;user&gt;
    <login>Busey</login>&lt;login&gt;Busey&lt;/login&gt;
    <password>cAf3</password>&lt;password&gt;cAf3&lt;/password&gt;
  </user>
</users>&lt;/user&gt;
&lt;/users&gt;

Untrusted code may attempt to retrieve user details from this file with an XPath statement constructed dynamically from user input.

Code Block
str_query = "&quot;//users/user[LoginID/text()= "&quot; &amp;amp; login &amp;amp; 
            "&quot; and password/text()="&quot; &amp;amp; password &amp;amp; "]"&quot;]&quot;

An attacker may specify input such as, login = ' or 1=1 and password = ' or 1=1, yielding the following query string.

...

Code Block
bgColor#FFcccc
class XpathInjection {
  private boolean doLogin(String loginID, String password)
    throws ParserConfigurationException, SAXException,IOException, XPathExpressionException {

    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
    domFactory.setNamespaceAware(true);
    DocumentBuilder builder = domFactory.newDocumentBuilder();
    Document doc = builder.parse("&quot;users.xml"&quot;);

    XPathFactory factory = XPathFactory.newInstance();
    XPath xpath = factory.newXPath();
    XPathExpression expr = xpath.compile("&quot;//users/user[login/text()='"&quot; + 
         loginID +"'"&quot;'&quot; + "&quot;and password/text()='"&quot;+password+"&quot;' ]"&quot;);
    Object result = expr.evaluate(doc, XPathConstants.NODESET);
    NodeList nodes = (NodeList) result;
   
    // Print first names to the console 
    for (int i = 0; i <&lt; nodes.getLength(); i++) {
      System.out.println(nodes.item(i).getNodeValue());}       
         
    return (nodes.getLength() >&gt;= 1);
  }
}

Compliant Solution

...

Code Block
bgColor#ccccff

Document doc = new Builder().build("&quot;users.xml"&quot;);
XQuery xquery = new XQueryFactory().createXQuery(new File("&quot;login.xry"&quot;));

Map queryVars= new HashMap();

queryVars.put("loginid"&quot;loginid&quot;, "Utah"&quot;Utah&quot;); // user name hardcoded for illustrative purposes
queryVars.put("password"&quot;password&quot;, "securecoding"&quot;securecoding&quot;); // password hardcoded for illustrative purposes 

Nodes results = xquery.execute(doc, null, queryVars).toNodes();

for (int i=0; i <&lt; results.size(); i++) {
  System.out.println(results.get(i).toXML());
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Fortify 08|AA. Java References#Fortify 08]\] "&quot;Input Validation and Representation: XML Injection"&quot;
\[[Sen 07|AA. Java References#Sen 07]\]
\[[Sun 06|AA. Java References#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]
\[[OWASP 05|AA. Java References#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 643|http://cwe.mitre.org/data/definitions/247.html] "&quot;Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"&quot;

...

IDS05-J. Prevent XML Injection      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10. Input Validation and Data Sanitization (IDS)      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;IDS07-J. Understand how escape characters are interpreted when String literals are compiled