SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 16

changes.mady.by.user Fred Long

Saved on

compared with

New Version 17

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This rule is a specific example of the broadly scoped rule FIO38-J. Validate user input.

XPath Injection Example

Consider the following XML schema.

...

This will subsequently reveal all the records in the XML file

Noncompliant Code Example

Consider the following example in the context of the attack illustrated above. A username and password is read from the user and used to construct the query string.

...

The evaluate function call will return a set of all nodes in the XML file, causing the login function to return true, and bypassing authorization.

Compliant Solution

XPath injection can be prevented by adopting defenses similar to SQL injection. These include:

...

Using this method, the data specified in loginID and password fields will not be interpreted as executable expressions at runtime.

Risk Assessment

Failing to validate user input may result in information disclosure and execution of unprivileged actions.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC36-J-J

medium

probable

medium

P8

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Fortify 08|AA. Java References#Fortify 08]\] "Input Validation and Representation: XML Injection"
\[[Sen 07|AA. Java References#Sen 07]\]
\[[Sun 06|AA. Java References#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]
\[[OWASP 05|AA. Java References#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]