Java Reference
In-Depth Information
nodes.item(i).getChildNodes().item(1).
getChildNodes().item(0);
System.out.println(node.getNodeValue());
}
return (nodes.getLength() >= 1);
}
Using this method, the data specified in the
userName
and
password
fields cannot be
interpreted as executable content at runtime.
Applicability
Failure to validate user input may result in information disclosure and execution of un-
privileged code.
According to OWASP [OWASP 2013],
[PreventionofXPathinjection]requiresthefollowingcharacterstoberemoved(that
is, prohibited) or properly escaped.
< > / ' = "
to prevent straight parameter injection.
XPath queries should not contain any meta characters (such as
' = * ? //
or
similar).
XSLT expansions should not contain any user input, or if they do, [you
should] comprehensively test the existence of the file, and ensure that the
files are within the bounds set by the Java 2 Security Policy.
Bibliography
[Fortify 2013]
“Input Validation and Representation: XML Injection”
[Long 2012]
IDS00-J. Sanitize untrusted data passed across a trust boundary
[OWASP 2013]
Testing for XPath Injection
[Sen 2007]
Avoid the Dangers of XPath Injection
[Oracle 2011b]
