CWE-652 XQuery表达式中数据转义处理不恰当（XQuery注入）

Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: High

基本描述

The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

扩展描述

The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 943 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 943 cwe_View_ID: 699 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 91 cwe_View_ID: 1000

• cwe_Nature: ChildOf cwe_CWE_ID: 91 cwe_View_ID: 699

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Confidentiality	Read Application Data	An attacker might be able to read sensitive information from the XML database.

可能的缓解方案

Implementation

策略:

Use parameterized queries. This will help ensure separation between data plane and control plane.

Implementation

策略:

Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context.

示例代码

例

An attacker may pass XQuery expressions embedded in an otherwise standard XML document. The attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back. doc(accounts.xml)//user[name='*'] The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL.

Notes

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
WASC	46		XQuery Injection
Software Fault Patterns	SFP24		Tainted input to command

文章来源于互联网:scap中文网