Difference between revisions of "OWASP Periodic Table of Vulnerabilities - XPath/XQuery Injection"

From OWASP
Jump to: navigation, search
(Created page with "Return to Periodic Table Working View == XPath/XQuery Injection == === Root Cause Summary === ...")
 
m
 
Line 33: Line 33:
 
=== References ===
 
=== References ===
  
[[Top_10_2010-A1-Injection| OWASP Top 10 2010 - A1 Injection]]
+
[[Top_10_2010-A1-Injection| OWASP Top 10 2010 - A1 Injection]]<BR>
 
[[XPATH_Injection| XPath Injection]]<BR>
 
[[XPATH_Injection| XPath Injection]]<BR>
 
[http://projects.webappsec.org/w/page/13247006/XQuery%20Injection| XQuery Injection (WASC)]
 
[http://projects.webappsec.org/w/page/13247006/XQuery%20Injection| XQuery Injection (WASC)]

Latest revision as of 00:04, 15 May 2013

Return to Periodic Table Working View

Contents

XPath/XQuery Injection

Root Cause Summary

The application unsafely incorporates user data into an XQuery or XPath pattern which can change the logic of the query.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

The framework should provide a safe wrapper for XML search operations which canonicalizes and parameterizes patterns or avoids injection pitfalls altogether. Use only safe XQuery and XPath libraries or a subset of those libraries which is not vulnerable to injection.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

None

References

OWASP Top 10 2010 - A1 Injection
XPath Injection
XQuery Injection (WASC)