• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.

View
 

XQuery Injection

Page history last edited by Robert Auger 10 years, 10 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-46

 

 

XQuery Injection

XQuery Injection is a variant of the classic SQL injection attack against the XML XQuery Language. XQuery Injection uses improperly validated data that is passed to XQuery commands. This inturn will execute commands on behalf of the attacker that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer.

 

Using the example XML document below, users.xml.

<?xml version="1.0" encoding="ISO-8859-1"?>
<userlist>
<user category="group1">
  <uname>jpublic</uname>
  <fname>john</fname>
  <lname>public</lname>
  <status>good</status>
</user>
<user category="admin">
  <uname>jdoe</uname>
  <fname>john</fname>
  <lname>doe</lname>
  <status>good</status>
</user>
<user category="group2">
  <uname>mjane</uname>
  <fname>mary</fname>
  <lname>jane</lname>
  <status>good</status>
</user>
<user category="group1">
  <uname>anormal</uname>
  <fname>abby</fname>
  <lname>normal</lname>
  <status>revoked</status>
</user>
</userlist>
 

An typical XQuery of this document for the user mjane:

doc("users.xml")/userlist/user[uname="mjane"]

Would return:

<user category="group2">
  <uname>mjane</uname>
  <fname>mary</fname>
  <lname>jane</lname>
  <status>good</status>
</user>

Assuming that the XQuery gets its user name string from the input, an attacker can manipulate this query into returning the set of all users. By providing the input string

 

something" or ""="

 

the XQuery becomes:

doc("users.xml")/userlist/user[uname="something" or ""=""]

 

Which would return a node-set of all users.

There are many forms of attack that are possible through XQuery and are very difficult to predict. Mitigation of XQuery injection requires proper input validation prior to executing the XQuery. Also it is important to run XML parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQuery.

 

References

W3C - XQuery 1.0: An XML Query Language

[1] http://www.w3.org/TR/xquery/

 

W3 Schools – XQuery Tutorial

[2] http://www.w3schools.com/xquery/default.asp

 

XQuery Injection, Common Attack Pattern Enumeration and Classification (CAPEC)

[3] http://capec.mitre.org/data/definitions/84.html

Comments (0)

You don't have permission to comment on this page.