Web XML Injection

Web XML注入

风险: high

描述

当用户输入未被正确合并到服务器端XML文档或SOAP消息中时，就会出现XML注入漏洞。利用此漏洞涉及操作XML元字符，以潜在地改变XML结构。其影响根据使用XML文档的功能而异，从破坏应用程序逻辑到未经授权的操作或未经授权访问敏感数据不等。

Java

import org.w3c.dom.Document;
import org.w3c.dom.Element;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.StringWriter;

public class XMLInjectionExample {

    public static void main(String[] args) {
  // Simulated user input (this should come from a user or external source)
  String userInput = "<maliciousTag>Payload</maliciousTag>";

  // Vulnerable XML construction without proper input validation
  String xmlData = "<data>" + userInput + "</data>";

  // Process the XML data (vulnerable code)
  processXmlData(xmlData);
    }

    public static void processXmlData(String xmlData) {
  try {
      // Parse the XML data
      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
      DocumentBuilder builder = factory.newDocumentBuilder();
      Document document = builder.parse(new org.xml.sax.InputSource(new java.io.StringReader(xmlData)));

      // Extract information from the XML (vulnerable code)
      Element root = document.getDocumentElement();
      String content = root.getTextContent();
      System.out.println("Processed XML data: " + content);
  } catch (Exception e) {
      System.err.println("Error processing XML data: " + e.getMessage());
  }
    }
}

JavaScript

const userInput = '<maliciousTag>Payload</maliciousTag>';

// Vulnerable XML construction without proper input validation
const xmlData = '<data>' + userInput + '</data>';

// Process the XML data (vulnerable code)
processXmlData(xmlData);

function processXmlData(xmlData) {
    try {
  // Parse the XML data
  const parser = new DOMParser();
  const xmlDoc = parser.parseFromString(xmlData, 'text/xml');

  // Extract information from the XML (vulnerable code)
  const content = xmlDoc.getElementsByTagName('data')[0].textContent;
  console.log('Processed XML data: ' + content);
    } catch (error) {
  console.error('Error processing XML data: ' + error.message);
    }
}

PHP

<?php
$userInput = '<maliciousTag>Payload</maliciousTag>';

// Vulnerable XML construction without proper input validation
$xmlData = '<data>' . $userInput . '</data>';

// Process the XML data (vulnerable code)
processXmlData($xmlData);

function processXmlData($xmlData) {
    try {
  // Create a new DOMDocument
  $doc = new DOMDocument();

  // Load the XML data
  $doc->loadXML($xmlData);

  // Extract information from the XML (vulnerable code)
  $content = $doc->getElementsByTagName('data')->item(0)->textContent;
  echo 'Processed XML data: ' . $content . PHP_EOL;
    } catch (Exception $e) {
  echo 'Error processing XML data: ' . $e->getMessage() . PHP_EOL;
    }
}
?>

建议

• 避免直接拼接：避免在XML文档中直接拼接用户输入。
• 用户输入清理：将用户输入插入XML文档之前对其进行清理。
• 健壮的XML解析器：使用遵循XML规范的完善且安全的XML解析器。谨慎使用可能存在漏洞的自定义或过时的解析器。
• 禁用危险的XML功能：如果不需要，请禁用外部实体扩展以减少攻击面并缓解XXE漏洞的风险。

Java

import org.w3c.dom.Document;
import org.w3c.dom.Element;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.StringReader;

public class MitigatedXMLInjectionExample {

    public static void main(String[] args) {
  // Simulated user input (this should come from a user or external source)
  String userInput = "<maliciousTag>Payload</maliciousTag>";

  // Mitigated XML construction with proper input validation
  String sanitizedInput = sanitizeUserInput(userInput);
  String xmlData = "<data>" + sanitizedInput + "</data>";

  // Process the XML data (mitigated code)
  processXmlData(xmlData);
    }

    public static String sanitizeUserInput(String input) {
  // Perform proper input validation and sanitization
  // For example, you can use a library or a regex to remove invalid characters
  return input.replaceAll("[&<>\"]", "");
    }

    public static void processXmlData(String xmlData) {
  try {
      // Parse the XML data
      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
      DocumentBuilder builder = factory.newDocumentBuilder();
      Document document = builder.parse(new org.xml.sax.InputSource(new StringReader(xmlData)));

      // Extract information from the XML (mitigated code)
      Element root = document.getDocumentElement();
      String content = root.getTextContent();
      System.out.println("Processed XML data: " + content);
  } catch (Exception e) {
      System.err.println("Error processing XML data: " + e.getMessage());
  }
    }
}

JavaScript

const userInput = '<maliciousTag>Payload</maliciousTag>';

// Mitigated XML construction with proper input validation
const sanitizedInput = sanitizeUserInput(userInput);
const xmlData = '<data>' + sanitizedInput + '</data>';

// Process the XML data (mitigated code)
processXmlData(xmlData);

function sanitizeUserInput(input) {
    // Perform proper input validation and sanitization
    // For example, you can use a library like DOMPurify for HTML/XML sanitization
    // Here, we are using a simple approach to remove invalid characters
    return input.replace(/[&<>"']/g, '');
}

function processXmlData(xmlData) {
    try {
  // Parse the XML data
  const parser = new DOMParser();
  const xmlDoc = parser.parseFromString(xmlData, 'text/xml');

  // Extract information from the XML (mitigated code)
  const content = xmlDoc.getElementsByTagName('data')[0].textContent;
  console.log('Processed XML data: ' + content);
    } catch (error) {
  console.error('Error processing XML data: ' + error.message);
    }
}

PHP

<?php
$userInput = '<maliciousTag>Payload</maliciousTag>';

// Mitigated XML construction with proper input validation
$sanitizedInput = sanitizeUserInput($userInput);
$xmlData = '<data>' . $sanitizedInput . '</data>';

// Process the XML data (mitigated code)
processXmlData($xmlData);

function sanitizeUserInput($input) {
    // Perform proper input validation and sanitization
    // For example, you can use functions like htmlspecialchars to sanitize XML content
    return htmlspecialchars($input, ENT_XML1, 'UTF-8');
}

function processXmlData($xmlData) {
    try {
  // Create a new DOMDocument
  $doc = new DOMDocument();

  // Load the XML data
  $doc->loadXML($xmlData);

  // Extract information from the XML (mitigated code)
  $content = $doc->getElementsByTagName('data')->item(0)->textContent;
  echo 'Processed XML data: ' . $content . PHP_EOL;
    } catch (Exception $e) {
  echo 'Error processing XML data: ' . $e->getMessage() . PHP_EOL;
    }
}
?>

链接

• OWASP
• scip.ch

标准

• GDPR:
  • ART_25
  • ART_32
• PCI_STANDARDS:
  • REQ_6_4
  • REQ_6_5
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5
• HIPAA_CONTROLS:
  • SECURITY212
  • SECURITY213
  • SECURITY255