DerScanner
Home / Vulnerability Database / 1C : XML injection
1C

1C : XML injection

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-InjectionA4-XML External Entities (XXE)
OWASP Top 10 2021
A3-InjectionA5-Security Misconfiguration
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (c)(1)§164.312 (c)(2)
CWE
CWE-1027

Overview

The application writes data from an untrusted source to XML file. This allows an attacker to change the structure and content of the file.

Applications typically use XML to store data or for messaging. In the first case, XML file is treated as a database and can contain valuable data. Web applications can also use massaging via XML for valuable data exchange.

An attacker who has the ability to write data to the XML document can change its semantics. In the most harmless case he/she can inject excess tags into the document, whereby the XML-parser exits with an error. In more serious cases, an attacker can add XML elements changing the authentication data, change data (such as prices, if we are talking about a database of a store). In some cases, XML Injection can lead to cross-site scripting (XSS) and remote code execution.

References

  1. OWASP Top 10 2017-A1-Injection
  2. OWASP Top 10 2013-A1-Injection
  3. CWE-91: XML Injection (aka Blind XPath Injection)
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM

DerScanner Severity Score

Do you want to fix 1C : XML injection in your application?

See also

1C

1C : Null encryption key

1C

1C : Memory leak

1C

1C : Empty encryption key