界: Input Validation and Representation
輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括:「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。
XML Injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以變更 XML 的結構和內容。
Explanation
XML Injection 發生於:
1.資料從一個不可信賴的來源進入程式。
2.將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。有時 XML injection 可能導致 Cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 ABAP iXML 剖析器時,第二個
1.資料從一個不可信賴的來源進入程式。
2.將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。有時 XML injection 可能導致 Cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes:
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 ABAP iXML 剖析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.abap.xml_injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以更改 XML 的結構和內容。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML 插入甚至可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML 插入甚至可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.dotnet.xml_injection
Abstract
識別的方法寫入了未經驗證的 XML 輸入。此呼叫可讓攻擊者將任意元素或屬性插入 XML 文件。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.cpp.xml_injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以變更 XML 的結構和內容。
Explanation
XML Injection 發生於:
1.資料從一個不可信賴的來源進入程式。
2.將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。有時 XML injection 可能導致 Cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1.資料從一個不可信賴的來源進入程式。
2.將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。有時 XML injection 可能導致 Cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes:
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.golang.xml_injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以更改 XML 的結構和內容。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] IDS16-J. Prevent XML Injection CERT
[2] INJECT-3: XML and HTML generation requires care Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.java.xml_injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以更改 XML 的結構和內容。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
這可能允許攻擊者能以 1 美元購買一雙價值 100 美元的鞋子。
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
這可能允許攻擊者能以 1 美元購買一雙價值 100 美元的鞋子。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.javascript.xml_injection
Abstract
識別的方法寫入了未經驗證的 XML 輸入。此呼叫可讓攻擊者將任意元素或屬性插入 XML 文件。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.objc.xml_injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以更改 XML 的結構和內容。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 XML 解析器時,第二個
此種攻擊更嚴重的形式稱為 XML External Entity (XXE) Injection,發生在當攻擊者控制了被解析的 XML 文件的前端或全部內容。
範例 2:此為易於受 XXE 攻擊的程式碼:
假設攻擊者可以控制將 XML 輸入到下列程式碼:
現在,假設攻擊者將下列 XML 傳遞到
處理 XML 時,<foo> 元素的內容會填入系統
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 XML 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。此種攻擊更嚴重的形式稱為 XML External Entity (XXE) Injection,發生在當攻擊者控制了被解析的 XML 文件的前端或全部內容。
範例 2:此為易於受 XXE 攻擊的程式碼:
假設攻擊者可以控制將 XML 輸入到下列程式碼:
...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...
現在,假設攻擊者將下列 XML 傳遞到
Example 2 中的程式碼:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
處理 XML 時,<foo> 元素的內容會填入系統
boot.ini 檔案的內容。攻擊者可能利用傳回到用戶端的 XML 元素竊取資料或取得資訊,以便知道有哪些網路資源。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.php.xml_injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以更改 XML 的結構和內容。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.python.xml_injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以變更 XML 的結構和內容。剖析未經驗證的 XML 可能會導致 Denial of Service、洩漏敏感資訊,甚至引發遠端指令碼執行。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2.將資料寫入 XML 文件或剖析為 XML。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1. 資料從一個不可信賴的來源進入程式。
2.將資料寫入 XML 文件或剖析為 XML。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] Introduction to Software Security: XML Injection Atacks University of Wisconsin-Madison
[2] Exploitation: XML External Entity (XXE) Injection Depth Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.ruby.xml_injection
Abstract
將未經驗證的資料寫入 XML 文件中可能讓攻擊者得以變更 XML 的結構和內容。剖析未經驗證的 XML 可能會導致 Denial of Service、洩漏敏感資訊,甚至引發遠端指令碼執行。
Explanation
XML Injection 發生於:
1.資料從一個不可信賴的來源進入程式。
2.將資料寫入 XML 文件或剖析為 XML。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 Cross-site scripting 或 Dynamic code 評估。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1.資料從一個不可信賴的來源進入程式。
2.將資料寫入 XML 文件或剖析為 XML。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 Cross-site scripting 或 Dynamic code 評估。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] IDS16-J. Prevent XML Injection CERT
[2] INJECT-3: XML and HTML generation requires care Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.scala.xml_injection
Abstract
識別的方法寫入了未經驗證的 XML 輸入。此呼叫可讓攻擊者將任意元素或屬性插入 XML 文件。
Explanation
XML Injection 發生於:
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
使用 SAX 解析器時,第二個
1. 資料從一個不可信賴的來源進入程式。
2. 將資料寫入 XML 文件。
應用程式通常使用 XML 來儲存資料或傳送訊息。應用程式會將用來儲存資料的 XML 文件視為資料庫,因此文件中可能會包含敏感資訊。XML 訊息通常用於 Web 服務,可用來傳送敏感資訊。XML 訊息甚至可用於傳送驗證憑證。
如果攻擊者有能力撰寫未經處理的 XML,即有可能修改 XML 文件和訊息的語義。在大部分不具惡意的情況中,攻擊者可能會插入外來的標籤,並造成 XML 解析器拋出一個異常。在較為惡意的 XML injection 情況下,攻擊者可能會新增 XML 元素,以此來變更驗證憑證或修改 XML 電子商務資料庫中之價格。在某些情況下,XML injection 可能導致 cross-site scripting 或 Dynamic Code Evaluation。
範例 1:
假設攻擊者能控制以下 XML 中的
shoes。
<order>
<price>100.00</price>
<item>shoes</item>
</order>
現在假設此 XML 包含在要求訂購一雙鞋子的後端 Web 服務要求中。假設攻擊者修改其要求並以
shoes 取代 shoes</item><price>1.00</price><item>shoes。新的 XML 會變成:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
使用 SAX 解析器時,第二個
<price> 的值會覆寫第一個 <price> 標籤的值。因此攻擊者將能以 1 美元購買一雙價值 100 美元的鞋子。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.swift.xml_injection