XML Injection

ID

java.xml_injection

Severity

high

Resource

Injection

Language

Java

Tags

CWE:91, NIST.SP.800-53, PCI-DSS:6.5.1

Description

XML injection (Blind XPath Injection).

Rationale

If the software permits untrusted inputs to influence any part or the entirety of an XSLT stylesheet, an attacker could potentially alter the structure and content of the resulting XML. Should this XML be displayed in a browser, the attacker might craft its content to carry out cross-site scripting attacks or perform operations on the server as if they were the victim, exploiting the browser’s same-origin policy—a variation of the cross-site request forgery attack.

Additionally, this vulnerability could allow the attacker to execute server-targeted attacks, such as accessing arbitrary files, executing Java code, or running OS commands, particularly if certain XSLT functions are not disabled.

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;

public void handle(HttpServletRequest req, HttpServletResponse res) throws TransformerException, IOException {
  InputStream xmlUrl = openStream(req.getParameter("xml.url"));
  InputStream xsltUrl = openStream(req.getParameter("xslt.url")); // externally controlled

  Source xmlSource = new StreamSource(xmlUrl);
  Source xsltSource = new StreamSource(xsltUrl);
  Result result = new StreamResult(res.getOutputStream());

  TransformerFactory fact = TransformerFactory.newInstance();
  Transformer transformer = fact.newTransformer(xsltSource); // FLAW
  transformer.transform(xmlSource, result);
}

Remediation

Never allow untrusted input to completely determine the XSLT stylesheet to be used or to be appended into the XSLT code that will be used in a transformation.

If untrusted input is necessary for dynamically selecting the XSLT stylesheet, implement a whitelist approach by permitting only the selection from a predefined list of fixed XSLT stylesheets. When combining untrusted input within the XSLT stylesheet, apply strict validation to ensure that only specific, verified user-controlled inputs are incorporated.

Additionally configure the XSLT transformer to permit only a limited set of verified safe XSLT functions and transformations.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

References