Difference between revisions of "Missing XML Validation"

Revision as of 18:28, 27 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by

Last revision (mm/dd/yy): 05/27/2009

Vulnerabilities Table of Contents

Description

Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.

Risk Factors

• Talk about the factors that make this vulnerability likely or unlikely to actually happen
• Discuss the technical impact of a successful exploit of this vulnerability
• Consider the likely [business impacts] of a successful attack

Examples

Short example name

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links

Related Attacks

• Attack 1
• Attack 2

Related Vulnerabilities

• Vulnerability 1
• Vulnerabiltiy 2

Related Controls

• Category:Input Validation

Related Technical Impacts

• Technical Impact 1
• Technical Impact 2

References

Note: A reference to related CWE or CAPEC article should be added when exists. Eg:

• CWE 79.
• http://www.link1.com
• Title for the link2