XML Injection

ID

go.xml_injection

Severity

high

Resource

Injection

Language

Go

Tags

CWE:91, NIST.SP.800-53, PCI-DSS:6.5.1

Description

XML injection (Blind XPath Injection).

Rationale

If the software permits untrusted inputs to influence any part or the entirety of an XSLT stylesheet, an attacker could potentially alter the structure and content of the resulting XML. Should this XML be displayed in a browser, the attacker might craft its content to carry out cross-site scripting attacks or perform operations on the server as if they were the victim, exploiting the browser’s same-origin policy—a variation of the cross-site request forgery attack.

Additionally, this vulnerability could allow the attacker to execute server-targeted attacks, such as accessing arbitrary files, executing Java code, or running OS commands, particularly if certain XSLT functions are not disabled.

Here a Golang’s example for this kind of vulnerability:

package xml_injection

import (
	"fmt"
	"github.com/jbowtie/gokogiri/xml"
	"github.com/jbowtie/ratago/xslt"
	"io/ioutil"
	"net/http"
)

// StylesheetOptions represents options for processing XSLT stylesheets.
type StylesheetOptions struct {
	// Add fields as necessary.
}

func xsltInjection(r *http.Request, inputXmlFile string, testOptions StylesheetOptions) {
	// Retrieve 'thisInput' from the query parameters.
	thisInput := r.URL.Query().Get("thisInput")
	realInput := []byte(thisInput)

	// Parse the input XML.
	doc, err := xml.Parse(realInput, xml.DefaultEncodingBytes, nil, xml.DefaultParseOption, xml.DefaultEncodingBytes)
	if err != nil {
		fmt.Println("Error parsing XML:", err)
		return
	}
	defer doc.Free()

	stylesheet, err := xslt.ParseStylesheet(doc, nil) // FLAW
	if err != nil {
		fmt.Println("Error parsing stylesheet:", err)
		return
	}
	defer stylesheet.Free()

	// Process the input XML with the stylesheet.
	inputXml, err := ioutil.ReadFile(inputXmlFile)
	if err != nil {
		fmt.Println("Error reading XML file:", err)
		return
	}

	output, err := stylesheet.Process(inputXml, testOptions)
	if err != nil {
		fmt.Println("Error processing stylesheet:", err)
		return
	}

	fmt.Println("Processed Output:", string(output))
}

Remediation

Never allow untrusted input to completely determine the XSLT stylesheet to be used or to be appended into the XSLT code that will be used in a transformation.

If untrusted input is necessary for dynamically selecting the XSLT stylesheet, implement a whitelist approach by permitting only the selection from a predefined list of fixed XSLT stylesheets. When combining untrusted input within the XSLT stylesheet, apply strict validation to ensure that only specific, verified user-controlled inputs are incorporated.

Additionally configure the XSLT transformer to permit only a limited set of verified safe XSLT functions and transformations.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

  • CWE-91 : XML Injection (aka Blind XPath Injection).