OWASP Periodic Table of Vulnerabilities - XML Injection

From OWASP
Jump to: navigation, search

Return to Periodic Table Working View

Contents

XML Injection

Root Cause Summary

XML documents are generated by including dynamic data without proper encoding.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

The framework should provide safe libraries for constructing and manipulating XML documents that automatically encode all dynamic data. The framework should disallow any direct access to raw XML.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Cross-Site Scripting / HTML Injection is a special case of XML injection.

References

Testing for XML Injection (OWASP-DV-008)
XML Injection (WASC)
XML Injection (CWE)