Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to avoid XML injection

Tags:

.net

xml

I have input field value from that is used for forming XPath query. What symbols in input string should I check to minimise possibility of XML injection?

like image 216
Michael Baranov Avatar asked Dec 12 '08 16:12

Michael Baranov

2 Answers

This document describes in detail the concept of "Blind XPath Injection".

It provides concrete examples of XPath injections and discusses ways of preventing such.

In the section "Defending against XPath Injection" it is said:

"Defending against XPath Injection is essentially similar to defending against SQL injection. The application must sanitize user input. Specifically, the single and double quote characters should be disallowed. This can be done either in the application itself, or in a third party product (e.g. application firewall.) Testing application susceptibility to XPath Injection can be easily performed by injecting a single quote or a double quote, and inspecting the response. If an error has occurred, then it’s likely that an XPath Injection is possible."

As others have said, one should also pay attention to using of axes and the // abbreviation. If XPath 2.0 is being used, then the doc() function should not be allowed, as it gives access to any document with known URI (or filename).

It is advisable to use an API which precompiles an XPath expression but leaves the possibility that it works with dynamically defined parameters or variables. Then the user input will define the contents of these parameters only and will never be treated as a modification of the already compiled expression.

like image 162
Dimitre Novatchev Avatar answered Sep 21 '22 15:09

Dimitre Novatchev

Turn your tactics upside down.

Don't try to filter out unacceptable characters - a policy of "Assume it's OK unless I know it's bad"

Instead, filter in acceptable characters - a policy of "This stuff is OK, I'll assume everything else is bad".

In security terms, adopt a policy of "Default Deny" instead of "Default Accept".

For example ...

... if you're asking someone for a search term, say a persons first name, limit the input to only the characters you expect to find in names.

One way would be to limit to A-Z and then ensure that your search technique is accent aware (eg i = ì = í = î = ï and so on ), though this falls down on non-european naming.

... if you're asking for a number, limit to just digits and reject everything else.

like image 23
Bevan Avatar answered Sep 20 '22 15:09

Bevan
Sign in to Comment

Related questions

Where clause not included in SQL query
How can I check if a certificate is self-signed?
Long running task in ApiController (using WebAPI, self-hosted OWIN)
Deserializing a list of interfaces with a custom JsonConverter?
Microsoft.web.Infrastructure.dll not found - Visual studio 2015
Writing many variables into textfile
How to run dot net core application in detached mode using "dotnet run" command
Why UseAuthentication must be before UseMvc in NET Core 2.0
OpenCV MatchTemplate in C# is too slow compared to Python
.NET Core 2.1 - How to create COM object and generate *.tlb file
Adding a unique index on EF Core mapping does not seem to work
ExecutionContext does not flow up the call stack from async methods
Why do .NET Core and .NET 5 generate an executable?
Garbage Collection: Is it necessary to set large objects to null in a Dispose method?
What does the PDB get me while debugging and how do I know it's working?
What is the best way to improve ASP.NET/C# compilation speed?
Response.Redirect strips Header Referrer - Possible to Add it Back?
Using MySql From .Net - Licensing Concerns
Modifying PDF document properties [closed]
Heterogeneous Dictionary, but typed?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!