|
|
|
|
CWE-112 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 112 (Weakness Base) | | Description | Summary Failure to enable validation when parsing XML gives an attacker the opportunity to supply
malicious input. | | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Causal Nature | Explicit (This is an explicit weakness resulting from behavior of the developer) | | Potential Mitigations | Always validate XML input against a known XML Schema or DTD. Assume all input is malicious. Use an appropriate combination of black lists and white
lists to ensure only valid and expected input is processed by the system. | | Context Notes | Most successful attacks begin with a violation of the programmer's assumptions. By
accepting an XML document without validating it against a DTD or XML schema, the programmer leaves
a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not
possible for an XML parser to validate all aspects of a document's content; a parser cannot
understand the complete semantics of the data. However, a parser can do a complete and thorough
job of checking the document's structure and therefore guarantee to the code that processes the
document that the content is well-formed. | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - Missing XML Validation | | Applicable Platforms | All | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 99 | XML Parser Attack |
|
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
