This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - XPath/XQuery Injection"
From OWASP
James Landis (talk | contribs) (Created page with "Return to Periodic Table Working View == XPath/XQuery Injection == === Root Cause Summary === ...") |
James Landis (talk | contribs) m |
||
Line 33: | Line 33: | ||
=== References === | === References === | ||
− | [[Top_10_2010-A1-Injection| OWASP Top 10 2010 - A1 Injection]] | + | [[Top_10_2010-A1-Injection| OWASP Top 10 2010 - A1 Injection]]<BR> |
[[XPATH_Injection| XPath Injection]]<BR> | [[XPATH_Injection| XPath Injection]]<BR> | ||
[http://projects.webappsec.org/w/page/13247006/XQuery%20Injection| XQuery Injection (WASC)] | [http://projects.webappsec.org/w/page/13247006/XQuery%20Injection| XQuery Injection (WASC)] |
Latest revision as of 05:04, 15 May 2013
Return to Periodic Table Working View
XPath/XQuery Injection
Root Cause Summary
The application unsafely incorporates user data into an XQuery or XPath pattern which can change the logic of the query.
Browser / Standards Solution
None
Perimeter Solution
None
Generic Framework Solution
The framework should provide a safe wrapper for XML search operations which canonicalizes and parameterizes patterns or avoids injection pitfalls altogether. Use only safe XQuery and XPath libraries or a subset of those libraries which is not vulnerable to injection.
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
None
References
OWASP Top 10 2010 - A1 Injection
XPath Injection
XQuery Injection (WASC)