XAML Injection

ID

csharp.xaml_injection

Severity

high

Resource

Injection

Language

CSharp

Tags

CWE:611, NIST.SP.800-53, PCI-DSS:6.5.1

Description

XAML Injection occurs when untrusted input is directly used as XAML data without any proper validation or sanitization.

Rationale

XAML Injection may allow an attacker to manipulate the XAML files processed by an application, possibly executing arbitrary code or causing unintended behavior.

Here a C# example for this kind of vulnerability:

using System;
using System.Windows.Markup;
using System.Web.UI;
using System.Xml;

public class XamlInjection : System.Web.UI.Page
{
    public void LoadXaml()
    {
        try
        {
            string xaml = Request.QueryString["xaml"];
            StringReader stringReader = new StringReader(xaml);
            XmlReader xmlReader = XmlReader.Create(stringReader);
            var obj = XamlReader.Load(xmlReader); // FLAW
        }
        catch (Exception ex)
        {
            throw new Exception($"Error loading XAML: {ex.Message}");
        }
    }
}

Remediation

Never allow untrusted input within as XAML data.

It’s important to note that the provided approach may not cover all attack vectors. A comprehensive security strategy should be applied to ensure robust protection against XAML injection and related vulnerabilities.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

  • CWE-611 : Improper Restriction of XML External Entity Reference.