Geek Answers Handbook

Avoiding XML Implementation

I have an input field value that is used to form an XPath request. What characters in the input string should be checked to minimize the possibility of embedding XML?

+6
xml
source share
6 answers

This document details the concept of "Blind XPath Injection".

It provides specific examples of XPath injections and discusses ways to prevent them.

The XPath Injection Protection section says:

"Protection against XPath Injection is essentially similar to protection against SQL injection. An application must misinform user input. In particular, single and double quote characters must not be allowed. This can be done either in the application on its own or in a third-party product (for example, the application firewall). Testing the susceptibility of an XPath Injection application can be easily done by entering a single quote or double quotation mark and checking the answer. If an error occurs, then it is likely that XPath can be implemented. "

As others have said, you should also pay attention to the use of axes and abbreviations //. If XPath 2.0 , then doc () should not be allowed, as it provides access to any document with a known URI (or file name).

It is advisable to use an API that precompiles the XPath expression, but leaves the possibility that it works with dynamically defined parameters or variables. Then user input will determine only the contents of these parameters and will never be considered as a modification of an already compiled expression.

+7
source share

Turn your tactics upside down.

Don't try to filter out unacceptable characters - the policy is "Assume OK if I don’t know what is bad"

Instead, filter in valid characters - the policy "This stuff is fine, I assume that everything else is bad."

For security reasons, accept the Default Deny policy instead of the Default Accept policy.

For example...

... if you are asking someone for a search query, say the person’s name, restrict the input to only those characters that you expect to find in the names.

One way is to restrict AZ, and then make sure that your search technique is accented (for example, I = ì = í = î = ï, etc.), although this falls on non-European names.

... if you ask for a number, limit only numbers and reject everything else.

+6
source share

I would start by looking at what is a valid contribution for your particular use case, and then consider ways to limit everything else. If you have a fixed range of input values, I would limit the input to only these values. Otherwise, if your use case requires you to consider the future, you will probably want to check axis modifiers and path separators, such as : and \ .

+1
source share

It depends on what you mean by "XML injection." Are there parts of the document that are sensitive and that the user is not allowed to see? Or do you open it as a recordable state and allow the user to update parts of the document, and they are only allowed to update certain parts?

At a basic level, to answer your question you need to look for xpath axis operations (for example, // , / , :: :) and wildcards ( @* , * ) at least. But I feel that using user input to build xpath directly may not be the optimal solution. Maybe if you give us more context around what you are trying to achieve, we can offer alternative approaches?

+1
source share

Closing this vulnerability is just a fix. Therefore, applying the "Default Deny" policy is now too dangerous. I decided to check the input for the following characters [, ", ', *, =, {, \,., Space. I think this can prevent most common attacks. Thank you all for the answers!

0
source share

Validating the input string will be useful, perhaps using something like a regular expression (something like this ^ \ w +) based on the fact that no special characters will be allowed.

0
source share

More articles:


All Articles