Java Reference
In-Depth Information
Applicability
Failure to prevent code injection can result in the execution of arbitrary code.
Bibliography
[API 2013]
Package
javax.script
[Long 2012]
IDS00-J. Sanitize untrusted data passed across a trust boundary
[OWASP 2013]
Code Injection in Java
8. Prevent XPath injection
Extensible Markup Language (XML) can be used for data storage in a manner similar
to a relational database. Data is frequently retrieved from such an XML document using
XPaths.
XPath injection
can occur when data supplied to an XPath retrieval routine to re-
trievedatafromanXMLdocumentisusedwithoutpropersanitization.Thisattackissim-
ilartoSQLinjectionorXMLinjection(see
The CERT
®
Oracle
®
Secure Coding Standard
for Java
™
[Long 2012], “IDS00-J. Sanitize untrusted data passed across a trust bound-
ary”). An attacker can enter valid SQL or XML constructs in the data fields of the query
in use. In typical attacks, the conditional field of the query resolves to a tautology or oth-
erwise gives the attacker access to privileged information.
This guideline is a specific example of the broadly scoped
Guideline 7
,
“
Prevent code
XML Path Injection Example
Consider the following XML schema.
<users>
<user>
<username>Utah</username>
<password>e90205372a3b89e2</password>
</user>
<user>
<username>Bohdi</username>
<password>6c16b22029df4ec6</password>
