Backend Development
XML/RSS Tutorial
Detailed introduction to the sample code of XML injection in Web security
Detailed introduction to the sample code of XML injection in Web security
XML injection attack has the same principle as SQL injection. The attacker enters malicious code to perform functions beyond his own permissions. XML is a way of storing data. If data is directly input or output without escaping when modifying or querying, it will lead to XML injection vulnerabilities. Attackers can modify the XML data format and add new XML nodes, affecting the data processing process.
Attack
The following is an example of saving registered user information in XML format:
final String GUESTROLE = "guest_role";
...
//userdata是准备保存的xml数据,接收了name和email两个用户提交来的数据。
String userdata = "<USER role="+
GUESTROLE+
"><name>"+
request.getParameter("name")+
"</name><email>"+
request.getParameter("email")+
"</email></USER>";
//保存xml
userDao.save(userdata);As you can see, this code does not perform any filtering operations. After an ordinary user registers, such a data record will be generated:
<?xml version="1.0" encoding="UTF-8"?>
<USER role="guest_role">
<name>user1
</name>
<email>user1@a.com
</email>
</USER>When the attacker enters his or her email, he can enter the following code:
user1@a.com</email></USER><USER role="admin_role"><name>lf</name><email>user2@a.com
After the end user registers, the data becomes:
<?xml version="1.0" encoding="UTF-8"?>
<USER role="guest_role">
<name>user1
</name>
<email>user1@a.com</email>
</USER>
<USER role="admin_role">
<name>lf</name>
<email>user2@a.com
</email>
</USER>You can see that there is an additional administrator lf with role="admin_role". achieve the purpose of attack.
Defense
As the old saying goes, where there is attack, there is defense. The principle of defense is actually very simple, which is to escape the key string:
& --> & < --> < > --> > " --> " ' --> '
Before saving and displaying the XML, just escape the data part alone:
String userdata = "<USER role="+
GUESTROLE+
"><name>"+
StringUtil.xmlencode(request.getParameter("name"))+
"</name><email>"+
StringUtil.xmlencode(rrequest.getParameter("email"))+
"</email></USER>";This way That’s it.
The above is the detailed content of Detailed introduction to the sample code of XML injection in Web security. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Can I open an XML file using PowerPoint?
Feb 19, 2024 pm 09:06 PM
Can XML files be opened with PPT? XML, Extensible Markup Language (Extensible Markup Language), is a universal markup language that is widely used in data exchange and data storage. Compared with HTML, XML is more flexible and can define its own tags and data structures, making the storage and exchange of data more convenient and unified. PPT, or PowerPoint, is a software developed by Microsoft for creating presentations. It provides a comprehensive way of
Convert XML data to CSV format in Python
Aug 11, 2023 pm 07:41 PM
Convert XML data in Python to CSV format XML (ExtensibleMarkupLanguage) is an extensible markup language commonly used for data storage and transmission. CSV (CommaSeparatedValues) is a comma-delimited text file format commonly used for data import and export. When processing data, sometimes it is necessary to convert XML data to CSV format for easy analysis and processing. Python is a powerful
Handling errors and exceptions in XML using Python
Aug 08, 2023 pm 12:25 PM
Handling Errors and Exceptions in XML Using Python XML is a commonly used data format used to store and represent structured data. When we use Python to process XML, sometimes we may encounter some errors and exceptions. In this article, I will introduce how to use Python to handle errors and exceptions in XML, and provide some sample code for reference. Use try-except statement to catch XML parsing errors When we use Python to parse XML, sometimes we may encounter some
Python parsing special characters and escape sequences in XML
Aug 08, 2023 pm 12:46 PM
Python parses special characters and escape sequences in XML XML (eXtensibleMarkupLanguage) is a commonly used data exchange format used to transfer and store data between different systems. When processing XML files, you often encounter situations that contain special characters and escape sequences, which may cause parsing errors or misinterpretation of the data. Therefore, when parsing XML files using Python, we need to understand how to handle these special characters and escape sequences. 1. Special characters and
How to handle XML and JSON data formats in C# development
Oct 09, 2023 pm 06:15 PM
How to handle XML and JSON data formats in C# development requires specific code examples. In modern software development, XML and JSON are two widely used data formats. XML (Extensible Markup Language) is a markup language used to store and transmit data, while JSON (JavaScript Object Notation) is a lightweight data exchange format. In C# development, we often need to process and operate XML and JSON data. This article will focus on how to use C# to process these two data formats, and attach
Using Python to implement data verification in XML
Aug 10, 2023 pm 01:37 PM
Using Python to implement data validation in XML Introduction: In real life, we often deal with a variety of data, among which XML (Extensible Markup Language) is a commonly used data format. XML has good readability and scalability, and is widely used in various fields, such as data exchange, configuration files, etc. When processing XML data, we often need to verify the data to ensure the integrity and correctness of the data. This article will introduce how to use Python to implement data verification in XML and give the corresponding
Convert POJO to XML using Jackson library in Java?
Sep 18, 2023 pm 02:21 PM
Jackson is a Java-based library that is useful for converting Java objects to JSON and JSON to Java objects. JacksonAPI is faster than other APIs, requires less memory area, and is suitable for large objects. We use the writeValueAsString() method of the XmlMapper class to convert the POJO to XML format, and the corresponding POJO instance needs to be passed as a parameter to this method. Syntax publicStringwriteValueAsString(Objectvalue)throwsJsonProcessingExceptionExampleimp
Is PHP front-end or back-end in web development?
Mar 24, 2024 pm 02:18 PM
PHP belongs to the backend in web development. PHP is a server-side scripting language, mainly used to process server-side logic and generate dynamic web content. Compared with front-end technology, PHP is more used for back-end operations such as interacting with databases, processing user requests, and generating page content. Next, specific code examples will be used to illustrate the application of PHP in back-end development. First, let's look at a simple PHP code example for connecting to a database and querying data:
