CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

XML Injection [CWE-91]

This weakness describes improper neutralization of special elements used in XML queries.

Created: February 23, 2013
Latest Update: August 5, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Mitigations
  6. Severity and CVSS Scoring
  7. References

1. Description

A variety of popular software (Apache Tomcat, OpenOffice, Microsoft Office, IM Jabber, Zend Framework, IBM WebSphere) uses eXtensible Markup Language (XML) to communicate with back-end servers, authenticate users, store information, etc. XML data structure is used in plenty of protocols, such as XML-RPC, SOAP, Jabber, WDDX, XMI.

To demonstrate XML injection weakness we will use a simple application that creates new users. The XML file with user credentials should look as follows:
XML file

  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <users>
  3.         <user>
  4.                 <username>admin</username>
  5.                 <password>VeryStrongP@ssw0rd</password>
  6.                 <userid>1</userid>
  7.                 <groupid>1</groupid>
  8.                 <email>admin@mysite.com</email>
  9.         </user>
  10.         <user>
  11.                 <username>user</username>
  12.                 <password>weakpass</password>
  13.                 <userid>500</userid>
  14.                 <groupid>10</groupid>
  15.                 <email>user@mysite.com</email>
  16.         </user>
  17. </users>

Registration form

  1. <form name="frm" method="post" action="">
  2. <p>Username: <input type="text" name="login"></p>
  3. <p>Password: <input type="password" name="passwd"></p>
  4. <p>Email: <input type="text" name="login"></p>
  5. <p><input type="submit" value="Log In" name="btLogin"></p>
  6. </form>

Let's assume that application assigns privileges based on group membership. In this case, we have to modify the resultant XML file during registration and add new user to group #1. To achieve this, we must provide the following data:
Username: attacker
Password: password</password><!--
E-mail: --><userid>10000</userid><groupid>1</groupid><mail>attacker@attacker.com

Once executed the XML file will look like this:

  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <users>
  3.         <user>
  4.                 <username>admin</username>
  5.                 <password>VeryStrongP@ssw0rd</password>
  6.                 <userid>1</userid>
  7.                 <groupid>1</groupid>
  8.                 <mail>admin@mysite.com</mail>
  9.         </user>
  10.         <user>
  11.                 <username>user</username>
  12.                 <password>weakpass</password>
  13.                 <userid>500</userid>
  14.                 <groupid>10</groupid>
  15.                 <mail>user@mysite.com</mail>
  16.         </user>
  17.         <user>
  18.                 <username>attacker</username>
  19.                 <password>password</password> <!--
  20.                 <userid>500</userid>
  21.                 <groupid>10</groupid>
  22.                 <mail>--><userid>10000</userid><groupid>1</groupid><mail>attacker@attacker.com</mail>
  23.         </user>
  24. </users>

The provided result will be as follows:

  1. SimpleXMLElement Object
  2. (
  3.     [user] => Array
  4.         (
  5.             [0] => SimpleXMLElement Object
  6.                 (
  7.                     [username] => admin
  8.                     [password] => VeryStrongP@ssw0rd
  9.                     [userid] => 1
  10.                     [groupid] => 1
  11.                     [mail] => admin@mysite.com
  12.                 )
  13.  
  14.             [1] => SimpleXMLElement Object
  15.                 (
  16.                     [username] => user
  17.                     [password] => weakpass
  18.                     [userid] => 500
  19.                     [groupid] => 10
  20.                     [mail] => user@mysite.com
  21.                 )
  22.  
  23.             [2] => SimpleXMLElement Object
  24.                 (
  25.                     [username] => attacker
  26.                     [password] => password
  27.                     [comment] => SimpleXMLElement Object
  28.                         (
  29.                         )
  30.  
  31.                     [userid] => 10000
  32.                     [groupid] => 1
  33.                     [mail] => attacker@attacker.com
  34.                 )
  35.         )
  36.  
  37. )

As you can see, the new user is member of the first group. So, we successfully injected XML code and achieved the needed result.

2. Potential impact

As for any code injection, potential impact depends on vulnerable application and its functionality. An attacker might be able to gain access to potentially sensitive information, modify or delete data and elevate privileges within the application. XML Injection can be used in XXE attacks to gain access to internal networks, gather sensitive information, perform port scans, etc. In a worst-case scenario this weakness could result in full system compromise.

3. Attack patterns

According to CAPEC there are following attack patterns for this weakness:


Another classification from WASC gives the following attack techniques:

4. Affected software

Extensible Markup Language is integrated in a variety of client/server applications and protocols. Software that uses XML-based protocols might be potentially vulnerable to this weakness.

5. Mitigations

Possible protection mechanisms against XML injections depend on validation of external input. When developing application pay extra attention to supplied input data. Programmers can use regular expressions to validate untrusted input. The following regular expression can limit the scope of potential attacks by allowing only numbers and letters:
/[^0-9a-z]/i

Perform filtration of output information as an additional level of security.

6. Severity and CVSS Scoring

XML injections weaknesses can influence confidentiality, integrity and availability of the application. Depending on application’s functionality, an attacker might be able to read, modify, delete information stored in XML files or even elevate privileges within the application.

In case of information disclosure for unprivileged user, this weakness should be scored as:
5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) – Medium severity.

In case of unauthorized data manipulation, this weakness should be scored as:
6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) – Medium severity.

In case of privilege escalation, this weakness can be scored as:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) – High severity.

7. References

  1. CWE-91: XML Injection (aka Blind XPath Injection) [cwe.mitre.org]
  2. Testing for XML Injection (OWASP-DV-008) [www.owasp.org]
  3. XML Injection [clawslab.nds.rub.de]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk