This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Missing XML Validation"

From OWASP
Jump to: navigation, search
m
 
(13 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
{{Template:Fortify}}
 
  
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
 
  
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
+
Last revision (mm/dd/yy): 2009
 +
 
 +
Last page edit: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 
[[ASDR Table of Contents]]
 
__TOC__
 
 
  
 
==Description==
 
==Description==
Line 58: Line 54:
  
 
==References==
 
==References==
Note: A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:
+
TODO
 
 
* [http://cwe.mitre.org/data/definitions/79.html CWE 79].
 
* http://www.link1.com
 
* [http://www.link2.com Title for the link2]
 
 
 
  
 
__NOTOC__
 
__NOTOC__
Line 71: Line 62:
 
[[Category:Input Validation Vulnerability]]
 
[[Category:Input Validation Vulnerability]]
 
[[Category:XML]]
 
[[Category:XML]]
 +
[[Category:Vulnerability]]

Latest revision as of 09:48, 7 December 2015

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 2009

Last page edit: 12/7/2015

Vulnerabilities Table of Contents

Description

Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.


Risk Factors

  • Talk about the factors that make this vulnerability likely or unlikely to actually happen
  • Discuss the technical impact of a successful exploit of this vulnerability
  • Consider the likely [business impacts] of a successful attack


Examples

Short example name

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links


Related Attacks


Related Vulnerabilities

Related Controls


Related Technical Impacts


References

TODO