3

on my website i deliver an xml, whereas GET parameters will be added as (entityencoded) attributes somewhere in the xml.

stripped down example:

http://host/file.xml?x=y

leads to

<root>
  <element x="y" />
</root>

note that the string is being html entity encoded so you cant really escape out of the quotes. a string like this

"/>

leads to

&quot;/&gt;

but could this be exploited another way?

clamp
  • 131
  • 4

1 Answers1

3

You didn't give us information about how the XML is used/parsed afterwards. Still I've got two points on this:

  • By using something like http://host/file.xml?a=b%20x=y someone will be able to add an additional attribute depending on how you deal with the output, this might be a problem. Also some parsers take the first occurrence of an attribute, some the last and some even concatenate values with the same key. So what about http://host/file.xml?x=z%20x=y which may result in something like <element x=z x="y" /> (of course this also depends on how strict your parser is and what values are accepted for x.
  • Depending on the parser, there might be ways to encode characters like "/> when sending them to your application without them being HTML entity encoded.

If you provide more information, we might be able to give you a more specific answer. Anyway, I would highly recommend not to insert unchecked user input into any XML. If really needed, you should at least use some kind of filtering (the best would be a whitelisting of accepted values or at least a regex for what you want to accept). In addition, the XML parser should also be provided a schema to validate the XML.

Disenchant
  • 166
  • 2