...
| Code Block | ||
|---|---|---|
| ||
class XpathInjection {
private boolean doLogin(String loginID, String password)
throws ParserConfigurationException, SAXException,IOException, XPathExpressionException {
DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
domFactory.setNamespaceAware(true);
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document doc = builder.parse("users.xml");
XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
XPathExpression expr = xpath.compile("//users/user[login/text()='" +
loginID +"'" + "and password/text()='" + password + "' ]");
Object result = expr.evaluate(doc, XPathConstants.NODESET);
NodeList nodes = (NodeList) result;
// Print first names to the console
for (int i = 0; i < nodes.getLength(); i++) {
System.out.println(nodes.item(i).getNodeValue());}
return (nodes.getLength() >= 1);
}
}
|
...
- Treat all user input as untrusted and perform appropriate sanitization
- When validating user input, verify the data type, length, format and the content. For example, use a regular expression that checks for XML tags and special characters in user input. This corresponds to input validation (IDS00-J. Always validate user input).
- In a client-server application, perform validation at both the client and the server side
- Extensively test applications that supply, propagate or use user input
In similar vulnerabilities such as SQL injection, an effective prevention technique is parameterization. In this technique, user-specified data is passed directly to an API as a parameter, which ensures that no data specified by the user is interpreted as executable logic. Unfortunately, such an interface does not currently exist in Java SE. However, this functionality can be emulated by using an interface such as XQuery that enables the user to effectively parameterize data by specifying a query statement in a separate file, and supply supplying the query at runtime. This compliant solution uses a query specified in a text file by reading it in the required format and entering values for the user name and password in a Map. The XML query is constructed from these elements subsequently.
...
Using this method, the data specified in the loginID and password fields is not be interpreted as executable content at runtime.
...
Wiki Markup
< > / ' = "to prevent straight parameter injection- XPath queries should not contain any meta characters (such as
' = * ? //or similar)- XSLT expansions should not contain any user input, or if they do, that you
comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.
...