XML injections occur when an application builds an XML-formatted string from user input without prior validation or sanitation. In such a case, a
tainted user-controlled value can tamper with the XML string content. Especially, unexpected arbitrary elements and attributes can be inserted in the
corresponding XML description.
A malicious injection payload could, for example:
- Insert tags into the main XML document.
- Add attributes to an existing XML tag.
- Change the data value inside a tag.
A malicious user-supplied value can perform other modifications depending on where and how the constructed data is later used.
What is the potential impact?
The consequences of an XML injection attack on an application vary greatly depending on the application’s logic. It can affect the application
itself or another element if the XML document is used for cross-component data exchange. For this reason, the actual impact can range from benign
information disclosure to critical remote code execution.
Information disclosure
An attacker can forge an attack payload that will modify the XML document so that it will become syntactically incorrect. In that case, when the
data is later used, the parsing component will raise a technical error. If displayed back to the attacker or made available through log files, this
technical error may disclose sensitive business or technical information.
This scenario, while in general the less severe one, is the most frequently encountered. It can combine with any other logic-dependant threat.
Internal requests tampering
Some applications communicate with backend micro-services APIs using XML-based protocols such as SOAP. When those applications are vulnerable to
XML injections, attackers can tamper with the internal requests' content. This will allow them to change internal requests' parameters or locations
which, in turn, can lead to various consequences like performing unauthorized actions or accessing sensitive data.
For example, altering a user creation request in such a way can lead to a privilege escalation if attackers manage to modify the default account
privilege level.
Code execution
An application might build objects based on an XML serialization string. In that case, an attacker that would exploit an XML injection could be
able to alter the serialization string to modify the corresponding object’s properties.
Depending on the deserialization process, this might allow instantiating arbitrary objects or objects with sensitive properties altered. This can
lead to arbitrary code being executed in the same way as a deserialization injection vulnerability.
