AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

XML Injection

The attacker can inject partial XML structs to the application and manipulate the XML output which may lead from denial of service to unauthorized access to system resources

Severity

High

Fix Cost

Low

Trust Level

Medium

XML is one of mostly used data structure for data storage and processing albeit it’s not that popular as it used to be. However, especially technologies starting from the early 2000s and an important of the current technologies still depend on the processing and usage of this data definition and structure standard.

An example code that outputs XML using the user input follows;

                            
using System.Xml
 
using (XmlWriter writer = XmlWriter.Create("employees.xml"))
{
writer.WriteStartDocument();
writer.WriteStartElement("Employees");

foreach (Employee employee in employees)
{
writer.WriteStartElement("Employee");

writer.WriteElementString("ID", employee.Id.ToString());
writer.WriteRaw("<FirstName>" + employee.FirstName + "</FirstName>");
writer.WriteRaw("<LastName>" + employee.LastName + "</LastName>");

writer.WriteEndElement();
}
...
                 
            

The code above gets FirstName and LastName from an untrusted source (the attacker for example) and writes it to XML with WriteRaw method, which doesn’t apply any meta character encoding for XML. Therefore, the attacker might send a partial XML string for FirstName parameter and intentionally manipulate the XML that will be produced later for processing.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial XML statements, result in XML injection. The attacker can potentially manipulate the overall XML output and access the information that he can’t access otherwise when this manipulated XML is processed later on.

XML is one of mostly used data structure for data storage and processing albeit it’s not that popular as it used to be. However, especially technologies starting from the early 2000s and an important of the current technologies still depend on the processing and usage of this data definition and structure standard.

An example code that outputs XML using the user input follows;

            
Writer out = new StringWriter();
XMLStreamWriter writer = XMLOutputFactory.newInstance().createXMLStreamWriter(out);
writer.writeStartDocument();

foreach (Employee employee in employees)
{
writer.writeStartElement("Employee");

writer.flush(); // important

out.write("<FirstName>" + employee.FirstName+ "</FirstName>");
out.write("<LastName>" + employee.LastName+ "</LastName>");
out.flush();

writer.writeEndElement();
writer.flush();
}

                
            

The code above gets FirstName and LastName from an untrusted source (the attacker for example) and writes it to XML with stream’s write method, which doesn’t apply any meta character encoding for XML. Therefore, the attacker might send a partial XML string for FirstName parameter and intentionally manipulate the XML that will be produced later for processing.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial XML statements, result in XML injection. The attacker can potentially manipulate the overall XML output and access the information that he can’t access otherwise when this manipulated XML is processed later on.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!