SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 15

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The extensible markup language (XML) is designed to help store, structure, and transfer data.   Because of its platform independence, flexibility, and relative simplicity, the extensible markup language ( XML ) has found use in a wide range of applications. However, because of its versatility, XML is vulnerable to a wide spectrum of attacks, including XML injection.

A user who has the ability to provide input string data that it is incorporated into an XML document can inject XML tags. These tags are interpreted by the XML parser and may cause data to be overridden.

An online store application where that allows the user has the ability to specify the quantity of an item available for purchase might generate the following XML document:

...

Code Block
1</quantity><price>1.0</price><quantity>1

In which this case, the XML resolves to the following:

Code Block
<item>
  <description>Widget</description>
  <price>500.0</price>
  <quantity>1</quantity><price>1.0</price><quantity>1</quantity>
</item>

...

Depending on the specific data and command interpreter or parser to which data is being sent, appropriate methods must be used to sanitize untrusted user input. This compliant solution validates that quantity is an unsigned integer.:

Code Block
bgColor#ccccff
import java.io.BufferedOutputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;

public class OnlineStore {
  private static void createXMLStream(final BufferedOutputStream outStream,
      final String quantity) throws IOException, NumberFormatException {
    // Write XML string only if quantity is an unsigned integer (count).
    int count = Integer.parseUnsignedInt(quantity);
    String xmlString = "<item>\n<description>Widget</description>\n"
        + "<price>500</price>\n" + "<quantity>" + count + "</quantity></item>";
    outStream.write(xmlString.getBytes());
    outStream.flush();
  }
}

...

Using a schema or DTD to validate XML is convenient when receiving XML that may have been loaded with unsanitized input. If such an XML string has not yet been built, sanitizing input before constructing XML yields better performance.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS16-J

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
Fortify1.0

Missing_XML_Validation

Implemented

Related Vulnerabilities

CVE-2008-2370 describes a vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16. When a RequestDispatcher is used, Tomcat performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.

...

SEI CERT C Coding Standard

STR02-C. Sanitize data passed to complex subsystems

SEI CERT C++ Coding Standard

STR02-CPP. Sanitize data passed to complex subsystems

SEI CERT Perl Coding StandardIDS33-PL. Sanitize untrusted data passed across a trust boundary

ISO/IEC TR 24772:2013

Injection [RST]

MITRE CWE

CWE-116, Improper encoding Encoding or escaping Escaping of outputOutput

Bibliography

[OWASP 2005]

A Guide to Building Secure Web Applications and Web Services

[OWASP 2007]

OWASP Top 10 for Java EE

[OWASP 2008]

Testing for XML Injection (OWASP-DV-008)

[Seacord 2015] Image result for video icon IDS00-J. Prevent SQL Injection LiveLesson

[W3C 2008]

Section 4.4.3, "Included If Validating"

 

...