Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:


Your data will stay confidential Private and Confidential

XML Injection [CWE-91]

XML Injection weakness describes improper neutralization of special elements used in XML queries.

XML Injection [CWE-91]

Created: February 23, 2013
Latest Update: December 28, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Mitigations
  6. Severity and CVSS Scoring
  7. References

Want to have an in-depth understanding of all modern aspects of
XML Injection [CWE-91]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

A variety of popular software (Apache Tomcat, OpenOffice, Microsoft Office, IM Jabber, Zend Framework, IBM WebSphere) uses eXtensible Markup Language (XML) to communicate with back-end servers, authenticate users, store information, etc. XML data structure is used in plenty of protocols, such as XML-RPC, SOAP, Jabber, WDDX, XMI.

To demonstrate XML injection weakness we will use a simple application that creates new users. The XML file with user credentials should look as follows:
XML file

  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <users>
  3.         <user>
  4.                 <username>admin</username>
  5.                 <password>VeryStrongP@ssw0rd</password>
  6.                 <userid>1</userid>
  7.                 <groupid>1</groupid>
  8.                 <email>admin@mysite.com</email>
  9.         </user>
  10.         <user>
  11.                 <username>user</username>
  12.                 <password>weakpass</password>
  13.                 <userid>500</userid>
  14.                 <groupid>10</groupid>
  15.                 <email>user@mysite.com</email>
  16.         </user>
  17. </users>

Registration form

  1. <form name="frm" method="post" action="">
  2. <p>Username: <input type="text" name="login"></p>
  3. <p>Password: <input type="password" name="passwd"></p>
  4. <p>Email: <input type="text" name="login"></p>
  5. <p><input type="submit" value="Log In" name="btLogin"></p>
  6. </form>

Let's assume that application assigns privileges based on group membership. In this case, we have to modify the resultant XML file during registration and add new user to group #1. To achieve this, we must provide the following data:
Username: attacker
Password: password</password><!--
E-mail: --><userid>10000</userid><groupid>1</groupid><mail>attacker@attacker.com

Once executed the XML file will look like this:

  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <users>
  3.         <user>
  4.                 <username>admin</username>
  5.                 <password>VeryStrongP@ssw0rd</password>
  6.                 <userid>1</userid>
  7.                 <groupid>1</groupid>
  8.                 <mail>admin@mysite.com</mail>
  9.         </user>
  10.         <user>
  11.                 <username>user</username>
  12.                 <password>weakpass</password>
  13.                 <userid>500</userid>
  14.                 <groupid>10</groupid>
  15.                 <mail>user@mysite.com</mail>
  16.         </user>
  17.         <user>
  18.                 <username>attacker</username>
  19.                 <password>password</password> <!--
  20.                 <userid>500</userid>
  21.                 <groupid>10</groupid>
  22.                 <mail>--><userid>10000</userid><groupid>1</groupid><mail>attacker@attacker.com</mail>
  23.         </user>
  24. </users>

The provided result will be as follows:

  1. SimpleXMLElement Object
  2. (
  3.     [user] => Array
  4.         (
  5.             [0] => SimpleXMLElement Object
  6.                 (
  7.                     [username] => admin
  8.                     [password] => VeryStrongP@ssw0rd
  9.                     [userid] => 1
  10.                     [groupid] => 1
  11.                     [mail] => admin@mysite.com
  12.                 )
  13.  
  14.             [1] => SimpleXMLElement Object
  15.                 (
  16.                     [username] => user
  17.                     [password] => weakpass
  18.                     [userid] => 500
  19.                     [groupid] => 10
  20.                     [mail] => user@mysite.com
  21.                 )
  22.  
  23.             [2] => SimpleXMLElement Object
  24.                 (
  25.                     [username] => attacker
  26.                     [password] => password
  27.                     [comment] => SimpleXMLElement Object
  28.                         (
  29.                         )
  30.  
  31.                     [userid] => 10000
  32.                     [groupid] => 1
  33.                     [mail] => attacker@attacker.com
  34.                 )
  35.         )
  36.  
  37. )

As you can see, the new user is member of the first group. So, we successfully injected XML code and achieved the needed result.

2. Potential impact

As for any code injection, potential impact depends on vulnerable application and its functionality. An attacker might be able to gain access to potentially sensitive information, modify or delete data and elevate privileges within the application. XML Injection can be used in XXE attacks to gain access to internal networks, gather sensitive information, perform port scans, etc. In a worst-case scenario this weakness could result in full system compromise.

How to Detect XML Injection Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Attack patterns

According to CAPEC there are following attack patterns for this weakness:


Another classification from WASC gives the following attack techniques:

4. Affected software

Extensible Markup Language is integrated in a variety of client/server applications and protocols. Software that uses XML-based protocols might be potentially vulnerable to this weakness.

5. Mitigations

Possible protection mechanisms against XML injections depend on validation of external input. When developing application pay extra attention to supplied input data. Programmers can use regular expressions to validate untrusted input. The following regular expression can limit the scope of potential attacks by allowing only numbers and letters:
/[^0-9a-z]/i

Perform filtration of output information as an additional level of security.

6. Severity and CVSS Scoring

XML injections weaknesses can influence confidentiality, integrity and availability of the application. Depending on application’s functionality, an attacker might be able to read, modify, delete information stored in XML files or even elevate privileges within the application.

In case of information disclosure for unprivileged user, this weakness should be scored as:
5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N] – Medium severity.

In case of unauthorized data manipulation, this weakness should be scored as:
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L] – Medium severity.

In case of authentication bypass and privilege escalation, this weakness can be scored as:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] – Critical severity.

7. References

  1. CWE-91: XML Injection (aka Blind XPath Injection) [cwe.mitre.org]
  2. Testing for XML Injection (OWASP-DV-008) [www.owasp.org]
  3. XML Injection [clawslab.nds.rub.de]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
Your data will stay private and confidential