Merge pull request #106 from Ostorlab/xml_injection

Add KB for XML Injection
Ostorlab · Jan 5, 2024 · 3d4f86e · 3d4f86e
2 parents 39862fc + 94c5461
commit 3d4f86e
Show file tree

Hide file tree

Showing 3 changed files with 251 additions and 0 deletions.
diff --git a/WEB_SERVICE/WEB/_HIGH/XML_INJECTION/description.md b/WEB_SERVICE/WEB/_HIGH/XML_INJECTION/description.md
@@ -0,0 +1,101 @@
+XML injection vulnerabilities occur when user input is improperly incorporated into a server-side XML document or SOAP message. Exploiting this vulnerability involves manipulating XML metacharacters to potentially alter the XML structure. The impact varies based on the function utilizing the XML document, ranging from disrupting application logic to unauthorized actions or unauthorized access to sensitive data.
+
+
+### Examples
+
+#### Java
+
+```java
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import java.io.StringWriter;
+
+public class XMLInjectionExample {
+
+    public static void main(String[] args) {
+        // Simulated user input (this should come from a user or external source)
+        String userInput = "<maliciousTag>Payload</maliciousTag>";
+
+        // Vulnerable XML construction without proper input validation
+        String xmlData = "<data>" + userInput + "</data>";
+
+        // Process the XML data (vulnerable code)
+        processXmlData(xmlData);
+    }
+
+    public static void processXmlData(String xmlData) {
+        try {
+            // Parse the XML data
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            DocumentBuilder builder = factory.newDocumentBuilder();
+            Document document = builder.parse(new org.xml.sax.InputSource(new java.io.StringReader(xmlData)));
+
+            // Extract information from the XML (vulnerable code)
+            Element root = document.getDocumentElement();
+            String content = root.getTextContent();
+            System.out.println("Processed XML data: " + content);
+        } catch (Exception e) {
+            System.err.println("Error processing XML data: " + e.getMessage());
+        }
+    }
+}
+```
+
+#### JavaScript
+
+```javascript
+const userInput = '<maliciousTag>Payload</maliciousTag>';
+
+// Vulnerable XML construction without proper input validation
+const xmlData = '<data>' + userInput + '</data>';
+
+// Process the XML data (vulnerable code)
+processXmlData(xmlData);
+
+function processXmlData(xmlData) {
+    try {
+        // Parse the XML data
+        const parser = new DOMParser();
+        const xmlDoc = parser.parseFromString(xmlData, 'text/xml');
+
+        // Extract information from the XML (vulnerable code)
+        const content = xmlDoc.getElementsByTagName('data')[0].textContent;
+        console.log('Processed XML data: ' + content);
+    } catch (error) {
+        console.error('Error processing XML data: ' + error.message);
+    }
+}
+```
+
+#### PHP
+
+```php
+<?php
+$userInput = '<maliciousTag>Payload</maliciousTag>';
+
+// Vulnerable XML construction without proper input validation
+$xmlData = '<data>' . $userInput . '</data>';
+
+// Process the XML data (vulnerable code)
+processXmlData($xmlData);
+
+function processXmlData($xmlData) {
+    try {
+        // Create a new DOMDocument
+        $doc = new DOMDocument();
+
+        // Load the XML data
+        $doc->loadXML($xmlData);
+
+        // Extract information from the XML (vulnerable code)
+        $content = $doc->getElementsByTagName('data')->item(0)->textContent;
+        echo 'Processed XML data: ' . $content . PHP_EOL;
+    } catch (Exception $e) {
+        echo 'Error processing XML data: ' . $e->getMessage() . PHP_EOL;
+    }
+}
+?>
+```
+
diff --git a/WEB_SERVICE/WEB/_HIGH/XML_INJECTION/meta.json b/WEB_SERVICE/WEB/_HIGH/XML_INJECTION/meta.json
@@ -0,0 +1,27 @@
+{
+  "risk_rating": "high",
+  "short_description": "The web application is susceptible to an XML injection vulnerability.",
+  "references": {
+    "OWASP":"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection",
+    "scip.ch": "https://www.scip.ch/en/?labs.20231005"
+  },
+  "title": "XML Injection",
+  "privacy_issue": true,
+  "security_issue": true,
+  "categories": {
+    "CWE_TOP_25": [
+      "CWE_91",
+      "CWE_74",
+      "CWE_652",
+      "CWE-643"
+    ],
+    "GDPR": [
+      "ART_25",
+      "ART_32"
+    ],
+    "PCI_STANDARDS":[
+      "REQ_6_4",
+      "REQ_6_5"
+    ]
+  }
+}
diff --git a/WEB_SERVICE/WEB/_HIGH/XML_INJECTION/recommendation.md b/WEB_SERVICE/WEB/_HIGH/XML_INJECTION/recommendation.md
@@ -0,0 +1,123 @@
+- __Avoid direct concatenation__: Avoid concatenating user input directly in XML documents.
+- __User input sanitization__: Sanitize user input before inserting it into XML documents.
+- __Robust XML Parsers__: Use well-established and secure XML parsers that adhere to the XML specifications. Be cautious of custom or outdated parsers that may have vulnerabilities.
+- __Disable dangerous XML features__: if not needed, disable external entity expansion to reduce the attack surface and mitigate the risk of XXE vulnerabilities.
+
+### Examples
+
+#### Java
+
+```java
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import java.io.StringReader;
+
+public class MitigatedXMLInjectionExample {
+
+    public static void main(String[] args) {
+        // Simulated user input (this should come from a user or external source)
+        String userInput = "<maliciousTag>Payload</maliciousTag>";
+
+        // Mitigated XML construction with proper input validation
+        String sanitizedInput = sanitizeUserInput(userInput);
+        String xmlData = "<data>" + sanitizedInput + "</data>";
+
+        // Process the XML data (mitigated code)
+        processXmlData(xmlData);
+    }
+
+    public static String sanitizeUserInput(String input) {
+        // Perform proper input validation and sanitization
+        // For example, you can use a library or a regex to remove invalid characters
+        return input.replaceAll("[&<>\"]", "");
+    }
+
+    public static void processXmlData(String xmlData) {
+        try {
+            // Parse the XML data
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            DocumentBuilder builder = factory.newDocumentBuilder();
+            Document document = builder.parse(new org.xml.sax.InputSource(new StringReader(xmlData)));
+
+            // Extract information from the XML (mitigated code)
+            Element root = document.getDocumentElement();
+            String content = root.getTextContent();
+            System.out.println("Processed XML data: " + content);
+        } catch (Exception e) {
+            System.err.println("Error processing XML data: " + e.getMessage());
+        }
+    }
+}
+```
+#### JavaScript
+
+```javascript
+const userInput = '<maliciousTag>Payload</maliciousTag>';
+
+// Mitigated XML construction with proper input validation
+const sanitizedInput = sanitizeUserInput(userInput);
+const xmlData = '<data>' + sanitizedInput + '</data>';
+
+// Process the XML data (mitigated code)
+processXmlData(xmlData);
+
+function sanitizeUserInput(input) {
+    // Perform proper input validation and sanitization
+    // For example, you can use a library like DOMPurify for HTML/XML sanitization
+    // Here, we are using a simple approach to remove invalid characters
+    return input.replace(/[&<>"']/g, '');
+}
+
+function processXmlData(xmlData) {
+    try {
+        // Parse the XML data
+        const parser = new DOMParser();
+        const xmlDoc = parser.parseFromString(xmlData, 'text/xml');
+
+        // Extract information from the XML (mitigated code)
+        const content = xmlDoc.getElementsByTagName('data')[0].textContent;
+        console.log('Processed XML data: ' + content);
+    } catch (error) {
+        console.error('Error processing XML data: ' + error.message);
+    }
+}
+```
+
+#### PHP
+
+```php
+<?php
+$userInput = '<maliciousTag>Payload</maliciousTag>';
+
+// Mitigated XML construction with proper input validation
+$sanitizedInput = sanitizeUserInput($userInput);
+$xmlData = '<data>' . $sanitizedInput . '</data>';
+
+// Process the XML data (mitigated code)
+processXmlData($xmlData);
+
+function sanitizeUserInput($input) {
+    // Perform proper input validation and sanitization
+    // For example, you can use functions like htmlspecialchars to sanitize XML content
+    return htmlspecialchars($input, ENT_XML1, 'UTF-8');
+}
+
+function processXmlData($xmlData) {
+    try {
+        // Create a new DOMDocument
+        $doc = new DOMDocument();
+
+        // Load the XML data
+        $doc->loadXML($xmlData);
+
+        // Extract information from the XML (mitigated code)
+        $content = $doc->getElementsByTagName('data')->item(0)->textContent;
+        echo 'Processed XML data: ' . $content . PHP_EOL;
+    } catch (Exception $e) {
+        echo 'Error processing XML data: ' . $e->getMessage() . PHP_EOL;
+    }
+}
+?>
+```