SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 57

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 58

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This attack is similar to SQL injection, (guideline IDS07-J. Prevent SQL Injection) , wherein an attacker can enter valid SQL constructs into the data fields of the query in use. Typically, the conditional field of the query resolves to a tautology or gives the attacker access to privileged information. This rule is a specific example of the broadly scoped rule guideline IDS00-J. Always validate user input.

...

  • Treat all user input as untrusted and perform appropriate sanitization.
  • When validating user input, verify the data type, length, format and the content. For example, use a regular expression that checks for XML tags and special characters in user input. This corresponds to input validation. (See guideline IDS00-J. Always validate user input.).
  • In a client-server application, perform validation at both the client and the server side.
  • Extensively test applications that supply, propagate or use user input.

In similar vulnerabilities such as SQL injection, an effective prevention technique is parameterization. In this technique, user-specified data is passed directly to an API as a parameter, which ensures that no data specified by the user is interpreted as executable logic. Unfortunately, such an interface does not currently exist in Java SE. However, this functionality can be emulated by using an interface such as XQuery that enables the user to effectively parameterize data by specifying a query statement in a separate file, and supplying the query at runtime. This compliant solution uses a query specified in a text file by reading it in the required format and entering values for the user name and password in a Map. The XML query is constructed from these elements subsequently.

...

Wiki Markup
In addition, OWASP \[[OWASP 2005|AA. Java References#OWASP 05]\] recommends:

Wiki Markup
\[Prevention of XPath injection\] requires the following characters to be removed (ie prohibited) or properly escaped:

  • < > / ' = " to prevent straight parameter injection
  • XPath queries should not contain any meta characters (such as ' = * ? // or similar)
  • XSLT expansions should not contain any user input, or if they do, that you comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.

...

Failing to validate user input may result in information disclosure and execution of unprivileged code.

Rule Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS09-J

medium

probable

medium

P8

L2

...