XML injection occurs when an attacker is able to supply data to the application that is interpreted as a part of an XML document in a manner that violates the intended use of XML by the application. XML injection vulnerabilities occur when untrusted data is allowed to be concatenated with XML data. Concatenating the attacker's data with XML allows the attacker to manipulate the syntax and the contents of the XML document and thus allows the attacker to modify the behavior of the application.
This issue affects all applications that use XML.
The exact impact of an XML injection vulnerability depends on the application. The most likely practical attack vector is that the attacker will be able to manipulate the business logic of the application. For example, the attacker might be able to change prices of items in an online store. If the application's authentication mechanism is affected, the attacker might be able to bypass authentication controls.
Another likely scenario is that the attacker will use XML injection to perform cross-site scripting attacks by modifying XML data to include client-side scripts. The cross-site scripting vector requires that the XML data is included in Web pages without being properly encoded.
To protect against XML injection attacks, validate all input and use parameterized APIs to build XML documents (instead of concatenating user data into strings that contain XML data).
To check for adequate protection against XML injection, verify that all input is validated and that parameterized APIs are used to build XML documents.
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.