界: Input Validation and Representation

輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括：「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。

XML Entity Expansion Injection

Abstract

若使用未配置為阻止或限制文件類型定義 (DTD) 實體解析的 XML 剖析器，可能會使剖析器暴露於 XML Entity Expansion Injection

Explanation

XML Entity Expansion Injection 也稱為 XML Bomb，屬於 DoS 攻擊，它可受益於格式正確的有效 XML 區塊，這些區塊呈指數級擴充，直到耗盡伺服器分配的資源。XML 允許您定義用做字串替換巨集的自訂實體。藉由巢狀循環實體解析，攻擊者可能很容易就讓伺服器資源損毀。

以下 XML 文件顯示 XML Bomb 的一個範例。


    <?xml version="1.0"?>
    <!DOCTYPE lolz [
      <!ENTITY lol "lol">
      <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
      <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
      <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
      <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
      <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
      <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
      <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
      <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>

此測試可以藉由將小型 XML 文件擴充到記憶體超過 3 GB，使伺服器當機。

References

[1] XML External Entity (XXE) Processing OWASP

[2] Testing for XML Injection OWASP

[3] XML External Entities The Web Application Security Consortium

[4] Standards Mapping - Common Weakness Enumeration CWE ID 776

[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation

[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[16] Standards Mapping - OWASP Top 10 2010 A1 Injection

[17] Standards Mapping - OWASP Top 10 2013 A1 Injection

[18] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I

[52] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)

[53] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.dataflow.abap.xml_entity_expansion_injection

Abstract

若使用未設定為阻止或限制文件類型定義 (DTD) 實體解析的 XML 剖析器，可能會使剖析器暴露於 XML Entity Expansion Injection 攻擊

Explanation

XML 實體擴大注入攻擊是憑藉格式良好的有效 XML 區塊進行的 DoS 攻擊，這些區塊會不斷激增，直到耗盡伺服器分配的資源為止。XML 允許定義充當字串替代巨集的自訂實體。透過建立巢狀的循環實體解析，攻擊者可能輕鬆地導致伺服器資源當機。

以下 XML 文件顯示了 XML 炸彈的範例。


<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

此測試將小型 XML 文件擴大至在記憶體中超過 3GB，從而導致伺服器當機。

References

[1] XML Denial of Service Attacks and Defenses MSDN Magazine

[2] XML External Entity (XXE) Processing OWASP

[3] Testing for XML Injection OWASP

[4] XML External Entities The Web Application Security Consortium

[5] Standards Mapping - Common Weakness Enumeration CWE ID 776

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation

[10] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[15] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[17] Standards Mapping - OWASP Top 10 2010 A1 Injection

[18] Standards Mapping - OWASP Top 10 2013 A1 Injection

[19] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)

[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation

[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I

[53] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)

[54] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.dotnet.xml_entity_expansion_injection

Abstract

若使用未配置為阻止或限制文件類型定義 (DTD) 實體解析的 XML 剖析器，可能會使剖析器暴露於 XML Entity Expansion Injection

Explanation

XML Entity Expansion Injection 也稱為 XML Bombs，是憑藉形式良好的有效 XML 區塊進行的 Denial Of Service (DoS) 攻擊，這些區塊會不斷激增，直到耗盡伺服器配置的資源為止。XML 允許定義充當字串替代巨集的自訂實體。透過建立巢狀的循環實體解析，攻擊者可能輕鬆地導致伺服器資源當機。

以下 XML 文件顯示了 XML 炸彈的範例。


<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

此測試將小型 XML 文件擴大至在記憶體中超過 3GB，從而導致伺服器當機。

References

[1] XML External Entity (XXE) Processing OWASP

[2] Testing for XML Injection OWASP

[3] XML External Entities The Web Application Security Consortium

[4] INJECT-5: Restrict XML inclusion Oracle