CWE-652 XQuery表达式中数据转义处理不恰当(XQuery注入)
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: High
基本描述
The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
扩展描述
The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 943 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 943 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 91 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 91 cwe_View_ID: 699
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | An attacker might be able to read sensitive information from the XML database. |
可能的缓解方案
Implementation
策略:
Use parameterized queries. This will help ensure separation between data plane and control plane.
Implementation
策略:
Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context.
示例代码
例
An attacker may pass XQuery expressions embedded in an otherwise standard XML document. The attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back. doc(accounts.xml)//user[name='*'] The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL.
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| WASC | 46 | XQuery Injection | |
| Software Fault Patterns | SFP24 | Tainted input to command |