XPath Injection Vulnerability
XPath 注入漏洞
描述
XPath 注入是一种针对使用 XPath 查询 XML 数据应用程序的注入攻击。当攻击者将恶意输入注入到 XPath 查询中时,就会发生此类攻击,这可能导致未经授权访问敏感数据、修改数据甚至完全接管系统。攻击者可以利用此漏洞来绕过身份验证机制、执行任意代码并获取敏感信息。
void _fetch_data(String _searchQuery) {
final content = XmlDocument.parse(xmlFileContent);
final xml_node = XmlXPath.node(content);
final xpath = xml_node.query('//book[author=$_searchQuery');
showDialog(
context: context,
builder: (context) => AlertDialog(
title: Text('Search Result'),
content: Text(result),
),
);
}
import Foundation
import SWXMLHash
func main() {
print("Enter search term:")
let searchTerm = readLine()!
let xml = SWXMLHash.parse(xmlString)
let results = xml["books"]["book"].all(withAttribute: "title", matchingXPath: "//title[contains(text(), '\(searchTerm)')]")
for result in results {
print(result["title"].element!.text)
print(result["author"].element!.text)
}
}
import javax.xml.parsers.DocumentBuilderFactory
fun main() {
val userInput = readLine() ?: return
val xpathQuery = "//*[username/text()='${userInput}']"
val xmlData = """
<users>
<user>
<username>Alice</username>
<password>pass123</password>
</user>
<user>
<username>Bob</username>
<password>pass456</password>
</user>
</users>
""".trimIndent()
val xpath = XPathFactory.newInstance().newXPath()
val result = xpath.evaluate(xpathQuery, xmlData)
}
建议
为了缓解 XPath 注入漏洞,以下措施非常重要:
- 使用参数化查询或预处理语句,将用户输入与查询逻辑分离。
- 在将用户输入用于 XPath 查询之前,对其进行适当的验证和清理。
bool _validate_query(String _searchQuery){
// check for special characters
for(var i = 0; i < tokens.length; i++){
if (string.contains(new RegExp(r'[A-Z]')) == false){
return false;
}
}
return true;
}
void _fetch_data(String _searchQuery) {
// validate user input
if (_validate_query(_searchQuery) == false){
// raise error
return ;
}
final content = XmlDocument.parse(xmlFileContent);
final xml_node = XmlXPath.node(content);
final xpath = xml_node.query('//book[author=$_searchQuery');
showDialog(
context: context,
builder: (context) => AlertDialog(
title: Text('Search Result'),
content: Text(result),
),
);
}
import Foundation
import SWXMLHash
func main() {
print("Enter search term:")
guard let searchTerm = readLine()?.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) else {
print("Invalid search term")
return
}
let xml = SWXMLHash.parse(xmlString)
let results = xml["books"]["book"].all(withAttribute: "title", matchingXPath: "//title[contains(text(), '\(searchTerm)')]")
for result in results {
print(result["title"].element!.text)
print(result["author"].element!.text)
}
}
fun sanitize(input: String): String {
// Replace all XPath special characters with their HTML entities
return input.replace("&", "&")
.replace("<", "<")
.replace(">", ">")
.replace(""", """)
.replace("'", "'")
}
fun main() {
val userInput = readLine() ?: return
val xmlData = """
<users>
<user>
<username>Alice</username>
<password>pass123</password>
</user>
<user>
<username>Bob</username>
<password>pass456</password>
</user>
</users>
""".trimIndent()
val sanitizedInput = sanitize(userInput)
val xpathQuery = "//*[username/text()='${sanitizedInput}']"
val xpath = XPathFactory.newInstance().newXPath()
val expression = xpath.compile(xpathQuery)
val result = expression.evaluate(xmlData, XPathConstants.NODESET)
val nodeList = result as? List<*> ?: emptyList<Any>()
val matchedUsers = nodeList.filterIsInstance<org.w3c.dom.Node>()
.map { node -> node.textContent }
.joinToString(", ")
println("Matched users: $matchedUsers")
}
链接
标准
- OWASP_MASVS_L1:
- MSTG_PLATFORM_2
- OWASP_MASVS_L2:
- MSTG_PLATFORM_2
- CWE_TOP_25:
- CWE_89
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- REQ_11_3
- OWASP_MASVS_v2_1:
- MASVS_CODE_4
- SOC2_CONTROLS:
- CC_2_1
- CC_3_4
- CC_4_1
- CC_7_1
- CC_7_2
- CC_7_4
- CC_7_5
- HIPAA_CONTROLS:
- SECURITY212
- SECURITY213
- SECURITY255