CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Weakness ID: 652 (Weakness Base)
Status: Incomplete
Description
Description Summary
The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Extended Description
The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).
Time of Introduction
Implementation
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Confidentiality
Technical Impact: Read application
data
An attacker might be able to read sensitive information from the XML
database.
Likelihood of Exploit
High
Enabling Factors for Exploitation
XQL queries are constructed dynamically using user supplied input that has
not been sufficiently validated.
Observed Examples
Reference
Description
From CAPEC 84: An attacker can pass XQuery
expressions embedded in otherwise standard XML documents. Like SQL injection
attacks, the attacker tunnels through the application entry point to target
the resource access layer. The string below is an example of an attacker
accessing the accounts.xml to request the service provider send all user
names back. doc(accounts.xml)//user[name='*'] The attacks that are possible
through XQuery are difficult to predict, if the data is not validated prior
to executing the XQL.
Potential Mitigations
Phase: Implementation
Use parameterized queries. This will help ensure separation between
data plane and control plane.
Phase: Implementation
Properly validate user input. Reject data where appropriate, filter
where appropriate and escape where appropriate. Make sure input that
will be used in XQL queries is safe in that context.
This weakness is similar to other weaknesses that enable injection style
attacks, such as SQL injection, command injection and LDAP injection. The
main difference is that the target of attack here is the XML
database.
Taxonomy Mappings
Mapped Taxonomy Name
Node ID
Fit
Mapped Node Name
WASC
46
XQuery Injection
Content History
Submissions
Submission Date
Submitter
Organization
Source
2008-01-30
Evgeny Lebanidze
Cigital
External Submission
Modifications
Modification Date
Modifier
Organization
Source
2008-09-08
CWE Content Team
MITRE
Internal
updated Common_Consequences,
Relationships
2008-10-14
CWE Content Team
MITRE
Internal
updated Description, Name,
Relationship_Notes
2009-05-27
CWE Content Team
MITRE
Internal
updated Name
2009-10-29
CWE Content Team
MITRE
Internal
updated Common_Consequences
2010-02-16
CWE Content Team
MITRE
Internal
updated Taxonomy_Mappings
2010-04-05
CWE Content Team
MITRE
Internal
updated Description, Name
2010-12-13
CWE Content Team
MITRE
Internal
updated Common_Consequences
2011-06-01
CWE Content Team
MITRE
Internal
updated Common_Consequences
2012-05-11
CWE Content Team
MITRE
Internal
updated Relationships
2012-10-30
CWE Content Team
MITRE
Internal
updated Potential_Mitigations
Previous Entry Names
Change Date
Previous Entry
Name
2008-10-14
Unsafe Treatment of XQuery
Input
2009-05-27
Failure to Sanitize Data
within XQuery Expressions (aka 'XQuery Injection')
2010-04-05
Failure to Sanitize Data
within XQuery Expressions ('XQuery Injection')
Description
