界: Input Validation and Representation

输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括：“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。

XPath Injection

Abstract

利用用户输入构建动态的 XPath 查询使攻击者可借机修改语句的含义。

Explanation

XPath injection 会在以下情况中出现：

1. 数据从一个不可信赖的数据源进入程序。

2. 数据用于动态构造一个 XPath 查询。

示例 1：下列代码可动态地构造并执行一个 XPath 查询，为指定的帐户 ID 检索电子邮件地址。由于该帐户 ID 是从 HTTP 请求中读取的，因此不受信任。


...
string acctID = Request["acctID"];
string query = null;
if(acctID != null) {
       StringBuffer sb = new StringBuffer("/accounts/account[acctID='");
       sb.append(acctID);
       sb.append("']/email/text()");
       query = sb.toString();
}

XPathDocument docNav = new XPathDocument(myXml);
XPathNavigator nav = docNav.CreateNavigator();
nav.Evaluate(query);
...

在正常情况下（例如搜索属于帐号 1 的电子邮件地址），此代码执行的查询将如下所示：

/accounts/account[acctID='1']/email/text()

但是，由于这个查询是动态构造的，由一个不变的基查询字符串和一个用户输入字符串连接而成，因此只有在 acctID 不包含单引号字符时，才会正确执行这一查询。如果攻击者为 acctID 输入字符串 1' or '1' = '1，则该查询会变成：

/accounts/account[acctID='1' or '1' = '1']/email/text()

附加条件 1' or '1' = '1 会使 where 从句永远评估为 true，因此该查询在逻辑上将等同于一个更为简化的查询：

//email/text()

通常，查询必须仅返回已通过身份验证的用户所拥有的条目，而通过以这种方式简化查询，攻击者就可以规避这一要求。现在，查询会返回存储在文档中的所有电子邮件地址，而不论其指定所有者是谁。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 643

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754

[3] Standards Mapping - FIPS200 SI

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3

[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3

[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1

[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[17] Standards Mapping - OWASP Top 10 2010 A1 Injection

[18] Standards Mapping - OWASP Top 10 2013 A1 Injection

[19] Standards Mapping - OWASP Top 10 2017 A1 Injection

[20] Standards Mapping - OWASP Top 10 2021 A03 Injection

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[55] Standards Mapping - Web Application Security Consortium Version 2.00 XPath Injection (WASC-39)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 XPath Injection

desc.dataflow.dotnet.xpath_injection

Abstract

标识方法会调用通过未经验证的输入构建的 XPath 查询。此调用使攻击者可修改语句的含义或者执行任意 XPath 查询。

Explanation

XPath injection 会在以下情况中出现：

1. 数据从一个不可信赖的数据源进入程序。

2. 数据用于动态构造一个 XPath 查询。

示例 1：以下 Objective-C 代码会调用 C API，它会动态地构造并执行一个 XPath 查询，用于检索指定帐户 ID 的电子邮件地址。由于该帐户 ID 是从 HTTP 请求中读取的，因此不受信任。


...
    NSString *accountStr = account.text;

    xmlXPathContextPtr xpathCtx;
    NSString *query = @"/accounts/account[actId='" + accountStr + @"']/email/text()";

    xpathCtx = xmlXPathNewContext(doc);

    /* Evaluate XPath expression */
    xmlChar *queryString =
        (xmlChar *)[query cStringUsingEncoding:NSUTF8StringEncoding];
    xpathObj = xmlXPathEvalExpression(queryString, xpathCtx);
...