|
|
|
|
CWE-91 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 91 (Weakness Base) | | Description | Summary The software does not properly filter or quote special characters or reserved
words that are used in XML, allowing attackers to modify the syntax, content, or
commands of the XML before it is processed by an end system. | | Potential Mitigations | Assume all input is malicious. Use an appropriate combination of black lists and white
lists to ensure only valid and expected input is processed by the system. | | Context Notes | In vulnerability theory terms, this is a representation-specific case of a
Data/Directive Boundary Error. | | Research Gaps | Under-reported. This is likely found regularly by third party code auditors, but there
are very few publicly reported examples. | | References | | | Relationships | | | Source Taxonomies | PLOVER - XML injection (aka Blind Xpath injection) | | Applicable Platforms | All | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 83 | XPath Injection |
|
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
