SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 88

changes.mady.by.user Fred Long

Saved on

compared with

New Version 89

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed to JG

XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This attack is similar to SQL injection or XML injection (see the appropriate parts of IDS00-J. Sanitize untrusted data passed across a trust boundary) wherein an attacker can enter valid SQL or XML constructs in the data fields of the query in use. Typically, the conditional field of the query resolves to a tautology or gives the attacker access to privileged information. This guideline is a specific example of the broadly scoped IDS52-J. Prevent code injection.

XML Path Injection Example

Consider the following XML schema.

...

This time, the '1'='1' tautology disables both login ID and password validation, and the attacker is falsely logged in without knowing a login ID or password.

Noncompliant Code Example

In this noncompliant code example, a user name and password are read from the user and used to construct the query string. The password is passed as a char array, and then hashed, all to comply with MSC51-J. Store passwords using a hash function and MSC56-J. Limit the lifetime of sensitive data.

...

Code Block
bgColor#FFcccc
private boolean doLogin(String loginID, char[] password)
  throws ParserConfigurationException, SAXException, IOException, XPathExpressionException {

  DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
  domFactory.setNamespaceAware(true);
  DocumentBuilder builder = domFactory.newDocumentBuilder();
  Document doc = builder.parse("users.xml");
  String pwd = hashPassword( password);

  XPathFactory factory = XPathFactory.newInstance();
  XPath xpath = factory.newXPath();
  XPathExpression expr = xpath.compile("//users/user[login/text()='" +
       loginID + "' and password/text()='" + pwd + "' ]");
  Object result = expr.evaluate(doc, XPathConstants.NODESET);
  NodeList nodes = (NodeList) result;

  // Print first names to the console
  for (int i = 0; i < nodes.getLength(); i++) {
    Node node = nodes.item(i).getChildNodes().item(1).getChildNodes().item(0);
    System.out.println( "Authenticated: " + node.getNodeValue());
  }

  return (nodes.getLength() >= 1);
}

Compliant Solution (XQuery)

XPath injection can be prevented by adopting defenses similar to those used to prevent SQL injection:

...

[Prevention of XPath injection] requires the following characters to be removed (ie, prohibited) or properly escaped:

  • < > / ' = " to prevent straight parameter injection
  • XPath queries should not contain any meta characters (such as ' = * ? // or similar)
  • XSLT expansions should not contain any user input, or if they do, [you should] comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.

Risk Assessment

Failure to validate user input may result in information disclosure and execution of unprivileged code.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS50IDS52-JJG

medium

probable

medium

P8

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

[Fortify 2008] "Input Validation and Representation: XML Injection"
[MITRE 2009] CWE ID 643 "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"
[OWASP 2005] Testing for XPath Injection
[Sen 2007]
[Sun 2006] Ensure Data Security

...