Backend Development
XML/RSS Tutorial
Detailed introduction to the sample code of XML injection in Web security
Detailed introduction to the sample code of XML injection in Web security
XML injection attack has the same principle as SQL injection. The attacker enters malicious code to perform functions beyond his own permissions. XML is a way of storing data. If data is directly input or output without escaping when modifying or querying, it will lead to XML injection vulnerabilities. Attackers can modify the XML data format and add new XML nodes, affecting the data processing process.
Attack
The following is an example of saving registered user information in XML format:
final String GUESTROLE = "guest_role";
...
//userdata是准备保存的xml数据,接收了name和email两个用户提交来的数据。
String userdata = "<USER role="+
GUESTROLE+
"><name>"+
request.getParameter("name")+
"</name><email>"+
request.getParameter("email")+
"</email></USER>";
//保存xml
userDao.save(userdata);As you can see, this code does not perform any filtering operations. After an ordinary user registers, such a data record will be generated:
<?xml version="1.0" encoding="UTF-8"?>
<USER role="guest_role">
<name>user1
</name>
<email>user1@a.com
</email>
</USER>When the attacker enters his or her email, he can enter the following code:
user1@a.com</email></USER><USER role="admin_role"><name>lf</name><email>user2@a.com
After the end user registers, the data becomes:
<?xml version="1.0" encoding="UTF-8"?>
<USER role="guest_role">
<name>user1
</name>
<email>user1@a.com</email>
</USER>
<USER role="admin_role">
<name>lf</name>
<email>user2@a.com
</email>
</USER>You can see that there is an additional administrator lf with role="admin_role". achieve the purpose of attack.
Defense
As the old saying goes, where there is attack, there is defense. The principle of defense is actually very simple, which is to escape the key string:
& --> & < --> < > --> > " --> " ' --> '
Before saving and displaying the XML, just escape the data part alone:
String userdata = "<USER role="+
GUESTROLE+
"><name>"+
StringUtil.xmlencode(request.getParameter("name"))+
"</name><email>"+
StringUtil.xmlencode(rrequest.getParameter("email"))+
"</email></USER>";This way That’s it.
The above is the detailed content of Detailed introduction to the sample code of XML injection in Web security. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1381
52
Can I open an XML file using PowerPoint?
Feb 19, 2024 pm 09:06 PM
Can XML files be opened with PPT? XML, Extensible Markup Language (Extensible Markup Language), is a universal markup language that is widely used in data exchange and data storage. Compared with HTML, XML is more flexible and can define its own tags and data structures, making the storage and exchange of data more convenient and unified. PPT, or PowerPoint, is a software developed by Microsoft for creating presentations. It provides a comprehensive way of
Convert XML data to CSV format in Python
Aug 11, 2023 pm 07:41 PM
Convert XML data in Python to CSV format XML (ExtensibleMarkupLanguage) is an extensible markup language commonly used for data storage and transmission. CSV (CommaSeparatedValues) is a comma-delimited text file format commonly used for data import and export. When processing data, sometimes it is necessary to convert XML data to CSV format for easy analysis and processing. Python is a powerful
How to handle XML and JSON data formats in C# development
Oct 09, 2023 pm 06:15 PM
How to handle XML and JSON data formats in C# development requires specific code examples. In modern software development, XML and JSON are two widely used data formats. XML (Extensible Markup Language) is a markup language used to store and transmit data, while JSON (JavaScript Object Notation) is a lightweight data exchange format. In C# development, we often need to process and operate XML and JSON data. This article will focus on how to use C# to process these two data formats, and attach
Using Python to implement data verification in XML
Aug 10, 2023 pm 01:37 PM
Using Python to implement data validation in XML Introduction: In real life, we often deal with a variety of data, among which XML (Extensible Markup Language) is a commonly used data format. XML has good readability and scalability, and is widely used in various fields, such as data exchange, configuration files, etc. When processing XML data, we often need to verify the data to ensure the integrity and correctness of the data. This article will introduce how to use Python to implement data verification in XML and give the corresponding
How to enable administrative access from the cockpit web UI
Mar 20, 2024 pm 06:56 PM
Cockpit is a web-based graphical interface for Linux servers. It is mainly intended to make managing Linux servers easier for new/expert users. In this article, we will discuss Cockpit access modes and how to switch administrative access to Cockpit from CockpitWebUI. Content Topics: Cockpit Entry Modes Finding the Current Cockpit Access Mode Enable Administrative Access for Cockpit from CockpitWebUI Disabling Administrative Access for Cockpit from CockpitWebUI Conclusion Cockpit Entry Modes The cockpit has two access modes: Restricted Access: This is the default for the cockpit access mode. In this access mode you cannot access the web user from the cockpit
What are web standards?
Oct 18, 2023 pm 05:24 PM
Web standards are a set of specifications and guidelines developed by W3C and other related organizations. It includes standardization of HTML, CSS, JavaScript, DOM, Web accessibility and performance optimization. By following these standards, the compatibility of pages can be improved. , accessibility, maintainability and performance. The goal of web standards is to enable web content to be displayed and interacted consistently on different platforms, browsers and devices, providing better user experience and development efficiency.
Convert POJO to XML using Jackson library in Java?
Sep 18, 2023 pm 02:21 PM
Jackson is a Java-based library that is useful for converting Java objects to JSON and JSON to Java objects. JacksonAPI is faster than other APIs, requires less memory area, and is suitable for large objects. We use the writeValueAsString() method of the XmlMapper class to convert the POJO to XML format, and the corresponding POJO instance needs to be passed as a parameter to this method. Syntax publicStringwriteValueAsString(Objectvalue)throwsJsonProcessingExceptionExampleimp
what does web mean
Jan 09, 2024 pm 04:50 PM
The web is a global wide area network, also known as the World Wide Web, which is an application form of the Internet. The Web is an information system based on hypertext and hypermedia, which allows users to browse and obtain information by jumping between different web pages through hyperlinks. The basis of the Web is the Internet, which uses unified and standardized protocols and languages to enable data exchange and information sharing between different computers.
