The extensible markup language is designed to help store, structure, and transfer data. Because of its platform independence, flexibility, and relative simplicity, the extensible markup language (XML) has found use in applications ranging from remote procedure calls to the systematic storage, exchange, and retrieval of dataa wide range of applications. However, because of its versatility, XML is vulnerable to a wide spectrum of attacks . One such attack is called including XML injection.
A user who has the ability to provide structured XML as input can override the contents of input string data that it is incorporated into an XML document by injecting can inject XML tags in data fields. These tags are interpreted and classified by an the XML parser as executable content and , as a result, may cause certain data members to be overridden.
Consider the following XML code snippet from an An online store application , designed primarily to query a back-end database. The where the user has the ability to specify the quantity of an item available for purchase .might generate the following XML document:
| Code Block |
|---|
<item> <description>Widget</description> <price>500.0</price> <quantity>1</quantity> </item> |
A malicious user An attacker might input the following string instead of a simple number in count for the quantity field.:
| Code Block |
|---|
1</quantity><price>1.0</price><quantity>1 |
Consequently, In which case the XML resolves to the following block:
| Code Block |
|---|
<item> <description>Widget</description> <price>500.0</price> <quantity>1</quantity><price>1.0</price><quantity>1</quantity> </item> |
...