简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Article  >  Backend Development  >  Detailed introduction to the sample code of XML injection in Web security

Detailed introduction to the sample code of XML injection in Web security

黄舟
黄舟Original
2017-03-08 16:48:412259browse

XML injection attack has the same principle as SQL injection. The attacker enters malicious code to perform functions beyond his own permissions. XML is a way of storing data. If data is directly input or output without escaping when modifying or querying, it will lead to XML injection vulnerabilities. Attackers can modify the XML data format and add new XML nodes, affecting the data processing process.

Attack

The following is an example of saving registered user information in XML format: 

final String GUESTROLE = "guest_role";
...
//userdata是准备保存的xml数据,接收了name和email两个用户提交来的数据。
String userdata = "<USER role="+
                GUESTROLE+
                "><name>"+
                request.getParameter("name")+
                "</name><email>"+
                request.getParameter("email")+
                "</email></USER>";
//保存xml
userDao.save(userdata);

As you can see, this code does not perform any filtering operations. After an ordinary user registers, such a data record will be generated: 

<?xml version="1.0" encoding="UTF-8"?>
<USER role="guest_role">
    <name>user1
    </name>
    <email>user1@a.com
    </email>
</USER>

When the attacker enters his or her email, he can enter the following code: 

user1@a.com</email></USER><USER role="admin_role"><name>lf</name><email>user2@a.com

After the end user registers, the data becomes: 

<?xml version="1.0" encoding="UTF-8"?>
<USER role="guest_role">
    <name>user1
    </name>
    <email>user1@a.com</email>
</USER>
<USER role="admin_role">
    <name>lf</name>
    <email>user2@a.com
    </email>
</USER>

You can see that there is an additional administrator lf with role="admin_role". achieve the purpose of attack.

Defense

As the old saying goes, where there is attack, there is defense. The principle of defense is actually very simple, which is to escape the key string: 

& --> &
 < --> <
 > --> >
 " --> "
 &#39; --> &#39;

Before saving and displaying the XML, just escape the data part alone: ​​

String userdata = "<USER role="+
                GUESTROLE+
                "><name>"+
                StringUtil.xmlencode(request.getParameter("name"))+
                "</name><email>"+
                StringUtil.xmlencode(rrequest.getParameter("email"))+
                "</email></USER>";

This way That’s it.


The above is the detailed content of Detailed introduction to the sample code of XML injection in Web security. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:Detailed introduction to four ways to read XML files in Java and code examples for comparisonNext article:Detailed introduction to four ways to read XML files in Java and code examples for comparison

Related articles

See more