XML Injection

high Web App Scanning Plugin ID 114116

Language:

Synopsis

XML Injection

Description

An XML Injection is when an attacker tries to inject an XML documents to the application. If the XML parser fails to contextually validate data, then the test will yield a positive result.

This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Solution

Since a specific value is used to build the XML document, it is necessary to apply strict filtering. Also, the XML processor should be configured to use a local static DTD and disallow any declared DTD included in the XML document.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html

Plugin Details

Severity: High

ID: 114116

Type: remote

Family: Injection

Published: 12/1/2023

Updated: 12/1/2023

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 7.2

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L

CVSS Score Source: Tenable

Reference Information

CWE: 91

OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3

WASC: XPath Injection

CAPEC: 250, 83

DISA STIG: APSC-DV-002550

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API8

OWASP ASVS: 4.0.2-5.3.10

PCI-DSS: 3.2-6.5.1