CWE
Home > CWE List > CWE-91 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-91 Individual Dictionary Definition (Draft 9)

XML Injection (aka Blind XPath Injection)
Weakness ID
Status: Draft

91 (Weakness Base)

Description

Summary

The software does not properly filter or quote special characters or reserved words that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

Context Notes

In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.

Research Gaps

Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.

References

Amit Klein. "Blind XPath Injection". 2004-05-19. <http://www.modsecurity.org/archive/amit/blind-xpath-injection.pdf>.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class74Failure to Sanitize Data into a Different Plane (aka 'Injection')
ChildOfViewView629
ParentOfWeakness BaseWeakness BaseWeakness Base643Unsafe Treatment of XPath Input
ParentOfWeakness BaseWeakness BaseWeakness Base652Unsafe Treatment of XQuery Input
Source Taxonomies

PLOVER - XML injection (aka Blind Xpath injection)

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
83XPath Injection
Page Last Updated: April 22, 2008