CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

 
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Weakness ID: 652 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

Extended Description

The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read application data

An attacker might be able to read sensitive information from the XML database.

+ Likelihood of Exploit

High

+ Enabling Factors for Exploitation

XQL queries are constructed dynamically using user supplied input that has not been sufficiently validated.

+ Observed Examples
ReferenceDescription
From CAPEC 84: An attacker can pass XQuery expressions embedded in otherwise standard XML documents. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back. doc(accounts.xml)//user[name='*'] The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL.
+ Potential Mitigations

Phase: Implementation

Use parameterized queries. This will help ensure separation between data plane and control plane.

Phase: Implementation

Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base91XML Injection (aka Blind XPath Injection)
Development Concepts699
Research Concepts1000
ChildOfWeakness ClassWeakness Class943Improper Neutralization of Special Elements in Data Query Logic
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
+ Relationship Notes

This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC46XQuery Injection
Software Fault PatternsSFP24Tainted input to command
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-01-30Evgeny LebanidzeCigitalExternal Submission
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships
2008-10-14CWE Content TeamMITREInternal
updated Description, Name, Relationship_Notes
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Common_Consequences
2010-02-16CWE Content TeamMITREInternal
updated Taxonomy_Mappings
2010-04-05CWE Content TeamMITREInternal
updated Description, Name
2010-12-13CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-06-23CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-10-14Unsafe Treatment of XQuery Input
2009-05-27Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection')
2010-04-05Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')
Page Last Updated: July 30, 2014