界: Input Validation and Representation

输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括：“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。

XSLT Injection

Abstract

如果处理未经验证的 XSL 样式表，则可能会使攻击者能够更改生成的 XML 的结构和内容、在文件系统中加入任意文件或执行任意代码。

Explanation

XSLT injection 会在以下情况中出现：

1. 数据从一个不可信赖的数据源进入程序。

2. 数据写入到 XSL 样式表中。

通常，应用程序利用 XSL 样式表来转换 XML 文档的格式。XSL 样式表中包括特殊函数，虽然此类函数能改善转换进程，但如果使用不当也会带来更多漏洞。

如果攻击者能够在样式表中写入 XSL 元素，则可以更改 XSL 样式表和处理的语义。攻击者可能会更改样式表的输出以启用 XSS (Cross-Site Scripting) 攻击、公开本地文件系统资源的内容或执行任意代码。

例 1：下面是一些易受 XSLT 注入攻击的代码：


  ...
  String xmlUrl = Request["xmlurl"];
  String xslUrl = Request["xslurl"];

  XslCompiledTransform xslt = new XslCompiledTransform();
  xslt.Load(xslUrl);

  xslt.Transform(xmlUrl, "books.html");
  ...

如果攻击者将标识的 XSL 传递到 XSTL 处理器，Example 1 会导致三种不同的漏洞利用：

1. XSS：



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/">
      <script>alert(123)</script>
    </xsl:template>
  </xsl:stylesheet>

在处理 XSL 样式表时，<script> 会进入受害者的浏览器，从而能够实施 cross-site scripting 攻击。

2. 读取服务器文件系统中的任意文件：



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/">
      <xsl:copy-of select="document('file:///c:/winnt/win.ini')"/>
    </xsl:template>
  </xsl:stylesheet>

上述 XSL 样式表将返回 /etc/passwd 文件的内容。

3. 执行任意代码：

XSLT 处理器如果不禁用，能将本机语言方法暴露为 XSLT 函数。



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:App="http://www.tempuri.org/App">
    <msxsl:script implements-prefix="App" language="C#">
      <![CDATA[
        public string ToShortDateString(string date)
          {
              System.Diagnostics.Process.Start("cmd.exe");
              return "01/01/2001";
          }
      ]]>
    </msxsl:script>
    <xsl:template match="ArrayOfTest">
      <TABLE>
        <xsl:for-each select="Test">
          <TR>
          <TD>
            <xsl:value-of select="App:ToShortDateString(TestDate)" />
          </TD>
          </TR>
        </xsl:for-each>
      </TABLE>
    </xsl:template>
  </xsl:stylesheet>

上述样式表将在服务器上执行“cmd.exe”命令。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 494

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[3] Standards Mapping - FIPS200 SI

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[11] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[13] Standards Mapping - OWASP Top 10 2010 A1 Injection

[14] Standards Mapping - OWASP Top 10 2013 A1 Injection

[15] Standards Mapping - OWASP Top 10 2017 A1 Injection

[16] Standards Mapping - OWASP Top 10 2021 A03 Injection

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[51] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.dataflow.dotnet.xslt_injection

Abstract

如果处理未经验证的 XSL 样式表，则可能会使攻击者能够更改生成的 XML 的结构和内容、在文件系统中加入任意文件或执行任意代码。

Explanation


  ...
  InputStream xmlUrl = Utils.getFromURL(request.getParameter("xmlurl"));
  InputStream xsltUrl = Utils.getFromURL(request.getParameter("xslurl"));

  Source xmlSource = new StreamSource(xmlUrl);
  Source xsltSource = new StreamSource(xsltUrl);
  Result result = new StreamResult(System.out);

  TransformerFactory transFact = TransformerFactory.newInstance();
  Transformer trans = transFact.newTransformer(xsltSource);
  trans.transform(xmlSource, result);
  ...

当攻击者将标识的 XSL 传递到 XSTL 处理器时，Example 1 中的代码会导致三种不同的漏洞利用：

1. XSS：



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/">
      <script>alert(123)</script>
    </xsl:template>
  </xsl:stylesheet>

在处理 XSL 样式表时，<script> 会进入受害者的浏览器，从而能够实施 cross-site scripting 攻击。

2. 读取服务器文件系统中的任意文件：



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/">
      <xsl:copy-of select="document('/etc/passwd')"/>
    </xsl:template>
  </xsl:stylesheet>

上述 XSL 样式表将返回 /etc/passwd 文件的内容。

3. 执行任意 Java 代码：

XSLT 处理器如果不禁用，能将本机 Java 语言方法暴露为 XSLT 函数。



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
    <xsl:template match="/">
      <xsl:variable name="rtobject" select="rt:getRuntime()"/>
      <xsl:variable name="process" select="rt:exec($rtobject,'ls')"/>
      <xsl:variable name="processString" select="ob:toString($process)"/>
      <xsl:value-of select="$processString"/>
    </xsl:template>
  </xsl:stylesheet>

前面的样式表将在服务器上执行“ls”命令。

References

[1] INJECT-8: Take care interpreting untrusted code Oracle

[2] Standards Mapping - Common Weakness Enumeration CWE ID 494

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[4] Standards Mapping - FIPS200 SI

[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[12] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[14] Standards Mapping - OWASP Top 10 2010 A1 Injection

[15] Standards Mapping - OWASP Top 10 2013 A1 Injection

[16] Standards Mapping - OWASP Top 10 2017 A1 Injection

[17] Standards Mapping - OWASP Top 10 2021 A03 Injection

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.dataflow.java.xslt_injection

Abstract

如果处理未经验证的 XSL 样式表，则可能会使攻击者能够更改生成的 XML 的结构和内容、在文件系统中加入任意文件或执行任意代码。

Explanation

XSLT injection 会在以下情况中出现：

1. 数据从一个不可信赖的数据源进入程序。

2. 数据写入到 XSL 样式表中。

通常，应用程序利用 XSL 样式表来转换 XML 文档的格式。XSL 样式表中包括特殊函数，虽然此类函数能改善转换进程，但如果使用不当也会带来更多漏洞。

如果攻击者能够在样式表中写入 XSL 元素，则可以更改 XSL 样式表和处理的语义。攻击者可能会更改样式表的输出以启用 XSS (Cross-Site Scripting) 攻击、公开本地文件系统资源的内容或执行任意代码。如果攻击者完全控制了提交给应用程序的样式表，则他们可能还会执行 XXE (XML External Entity) Injection 攻击。

示例 1：下面是一些易受 XSLT 注入攻击的代码：


...
<?php

$xml = new DOMDocument;
$xml->load('local.xml');

$xsl = new DOMDocument;
$xsl->load($_GET['key']);

$processor = new XSLTProcessor;
$processor->registerPHPFunctions();
$processor->importStyleSheet($xsl);

echo $processor->transformToXML($xml);

?>
...

当攻击者将标识的 XSL 传递到 XSTL 处理器时，Example 1 中的代码会导致三种不同的漏洞利用：

1. XSS：



<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<script>alert(123)</script>
</xsl:template>
</xsl:stylesheet>

在处理 XSL 样式表时，<script> 会进入受害者的浏览器，从而能够实施 cross-site scripting 攻击。

2. 读取服务器文件系统中的任意文件：



<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<xsl:copy-of select="document('/etc/passwd')"/>
</xsl:template>
</xsl:stylesheet>

上述 XSL 样式表将返回 /etc/passwd 文件的内容。

3. 执行任意 PHP 代码：

XSLT 处理器通过启用“registerPHPFunctions”，能将本机 PHP 语言方法暴露为 XSLT 函数。



<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<xsl:value-of select="php:function('passthru','ls -la')"/>
</xsl:template>
</xsl:stylesheet>

上述样式表将在服务器上输出“ls”命令的结果。