Input sanitization refers to the elimination of unwanted characters from the input by means of removal, replacement, encoding or escaping the characters. It is critical to sanitize input because an application may not be prepared to handle the malformed input or the unsanitized input may conceal an attack vector.
Noncompliant Code Example
This noncompliant code example uses a user generated string xmlString
. The string is designed to be parsed by an XML parser (see IDS05-J. Prevent XML Injection). The description
node is a String
, as defined by the XML schema. Consequently, it accepts all valid characters including CDATA
tags. This is dangerous because an attacker may be able to inject an executable script into the XML representation as CDATA
tags, when processed, are removed by the XML parser. This can result in a Cross Site Scripting (XSS) vulnerability if the text in the nodes is displayed back to the user.
xmlString = "<item>\n" + "<description><![CDATA[<]]>script<![CDATA[>]]> alert('XSS')<![CDATA[<]]>/script<![CDATA[>]]></description>\n" + "<price>500.0</price>\n" + "<quantity>1</quantity>\n" + "</item>";
Likewise, if the XML tree is constructed at the server side from some inputs obtained from the client, it is also possible to insert comments of the form <!-- \-\->}} and override the server side inputs. For instance, if the user can enter input into the {{description}} and {{quantity}} fields, it may be possible to override the {{price}} field set by the server. This can be achieved by entering {{<!-- description
in the description
field and --></description> <price>100.0</price><quantity>1
in the quantity
field. The equivalent XML representation is shown below. Note that the user can override the price field and change it from 500.0 to 100.0.
xmlString = "<item>\n"+ "<description><!-- description</description>\n" + "<price>500.0</price>\n" + "<quantity>--></description> <price>100.0</price> <quantity>1</quantity>\n" + "</item>";
Compliant Solution
This compliant solution creates a white list of possible string inputs. It allows only characters in the description
node, eliminating the possibility of injection of <
and >
tags.
Pattern pattern = Pattern.compile("[a-zA-Z]"); Matcher matcher = pattern.matcher(xmlString); if(matcher.find()) { // use the xmlString } else { // throw a runtime exception and forward to handler }
Risk Assessment
Failure to sanitize user input before processing or storing it can lead to injection of arbitrary executable content.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
IDS08- J |
high |
probable |
medium |
P12 |
L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[OWASP 08]] Testing for XML Injection (OWASP-DV-008)
IDS07-J. Understand how escape characters are interpreted when String literals are compiled 10. Input Validation and Data Sanitization (IDS) IDS09-J. Account for supplementary and combining characters in globalized code