This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Missing XML Validation"
Weilin Zhong (talk | contribs) (Contents provided by Fortify.) |
m |
||
| (14 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
{{Template:Vulnerability}} | {{Template:Vulnerability}} | ||
| − | |||
| − | |||
| − | + | Last revision (mm/dd/yy): 2009 | |
| + | |||
| + | Last page edit: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | ||
| + | |||
| + | [[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]] | ||
==Description== | ==Description== | ||
| + | |||
| + | Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input. | ||
Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed. | Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed. | ||
| − | |||
| − | ==Related | + | ==Risk Factors== |
| + | |||
| + | * Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen | ||
| + | * Discuss the technical impact of a successful exploit of this vulnerability | ||
| + | * Consider the likely [business impacts] of a successful attack | ||
| + | |||
| + | |||
| + | ==Examples== | ||
| + | |||
| + | ===Short example name=== | ||
| + | : A short example description, small picture, or sample code with [http://www.site.com links] | ||
| + | |||
| + | ===Short example name=== | ||
| + | : A short example description, small picture, or sample code with [http://www.site.com links] | ||
| + | |||
| + | |||
| + | ==Related [[Attacks]]== | ||
| + | |||
| + | * [[Attack 1]] | ||
| + | * [[Attack 2]] | ||
| + | |||
| + | |||
| + | ==Related [[Vulnerabilities]]== | ||
| + | |||
| + | * [[Vulnerability 1]] | ||
| + | * [[Vulnerabiltiy 2]] | ||
| + | |||
| + | ==Related [[Controls]]== | ||
| + | |||
| + | * [[:Category:Input Validation]] | ||
| + | |||
| + | |||
| + | ==Related [[Technical Impacts]]== | ||
| − | + | * [[Technical Impact 1]] | |
| + | * [[Technical Impact 2]] | ||
| − | |||
| − | == | + | ==References== |
| + | TODO | ||
| − | + | __NOTOC__ | |
| − | |||
| + | [[Category:OWASP ASDR Project]] | ||
[[Category:Input Validation Vulnerability]] | [[Category:Input Validation Vulnerability]] | ||
[[Category:XML]] | [[Category:XML]] | ||
| + | [[Category:Vulnerability]] | ||
Latest revision as of 09:48, 7 December 2015
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 2009
Last page edit: 12/7/2015
Vulnerabilities Table of Contents
Description
Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.
Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.
Risk Factors
- Talk about the factors that make this vulnerability likely or unlikely to actually happen
- Discuss the technical impact of a successful exploit of this vulnerability
- Consider the likely [business impacts] of a successful attack
Examples
Short example name
- A short example description, small picture, or sample code with links
Short example name
- A short example description, small picture, or sample code with links
Related Attacks
Related Vulnerabilities
Related Controls
Related Technical Impacts
References
TODO
