...
Using this method, the data specified in the loginID and password fields cannot be interpreted as executable content at runtime.
Wiki Markup
...
\[Prevention of XPath injection\] requires the following characters to be removed (ie, prohibited) or properly escaped:
< > / ' = "to prevent straight parameter injection- XPath queries should not contain any meta characters (such as
' = * ? //or similar)unmigrated-wiki-markup- XSLT expansions should not contain any user input, or if they do, \ [you should] comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.
Risk Assessment
Failure to validate user input may result in information disclosure and execution of unprivileged code.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS09-J | medium | probable | medium | P8 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
...
\[[Fortify 2008|AA. References#Fortify 08]\] "Input Validation and Representation: XML Injection"
\[
[MITRE 2009|AA. References#MITRE 09]\] [CWE ID 643|http://cwe.mitre.org/data/definitions/247.html] "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"
\
[[OWASP 2005|AA. References#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]
\[[Sen 2007|AA. References#Sen 07]\]
\[[Sun 2006|AA. References#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]Injection
[Sen 2007]
[Sun 2006] Ensure Data Security
...