/vulndb/XML Injection

XML Injection is a Code Injection variant, which can be used by attackers to include malicious XML block, which is then used by an XML processor.

An attacker may inject XML in the target application in order to change the application’s configuration data or insert malicious content. This happens because user supplied data is used directly to build XML documents. The same vulnerability may also be used to read arbitrary files, such as application source code, passwords and configuration data from the application file system.

Solution

Sanitise al user-supplied data for special character that could be used to build XML tags like <, > and <CDATA[[, etc. It is generally recommended to encode user-supplied input with XML entities where this is appropriate.

Caveats

An attacker may try to inject a CDATA tags to insert data that should not be parsed as XML. This means that it may be possible, for example, to insert complex javascript payload that would be ignored by the XML parser and thus embedded into the application without notice.

References

https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)