Overview
XQuery Injection is an attacking technique that occur when trusted data is concatenated into XQuery queries. This will allow the attacker to run any arbitrary queries that will affect the XML database. In other words, we can say this types of Injection applies to any application that will uses XQuery to query XML documents. Before that, let see what is XQuery is all about?
XQuery
XQuery Language is used to Query the data that is stored in a XML database. XQuery can be considered as the super set of the XPath language that appends SQL like syntax as well as some useful functions for Querying the XML Document. The Important feature of using XQuery are:
- Compact syntax In building Queries of XQL.
- Extracting information from a database for use in a web service or an application integration
- Getting reports on XML content stored in an XML database
- Transforming XML data to XHTML to be published on the Web
- Quickly traversing XML tree.
- Predicates filter out nodes that we don’t require.
Examples:
Any person or user can attack with an XQuery Expression for getting the information from XML database. Similar to SQL Injection, User can make such conditions that will make the query to be true for example, the given string can be used by attacker to get all the username from the database if it's not validated properly.
doc(accounts.xml)//user[Name='*']
Cause
The main cause of such Injection can be :
- Improper Input validation is performed that is used as a command to get executed in an application.
- User Input are based on source that is not trust worthy.
- Whenever Data is used to dynamically building an XQuery Expression.
- Neglecting the Dangerous characters or escape strings that are usually used in XQuery queries to get the information from XML Database.
Impact
The main impacts basically depends on the types of Data that is appended in the queries. If the attacker is successful in exposing the data then he can take the complete control of the Application. The main consequences of these attack would leads to :
- Failure of confidentiality.
- Escalation of rights
- Loss of Important Information
- Modify or delete the Sensitive Information stored in XML Database.
- Executing any code to allow the attacker to take complete control of the application
Prevention
- Developer should use CAPTCHA to forbid the use of the application by an automated tool.
- Build Parameterized queries that will ensure separation between data plane and control plane.
- Properly validate user input and Reject data where appropriate,
- Do filter of escape character where appropriate.
- Don’t use user-controllable input as part of XQL queries
Thanks for Reading the blog...
0 Comment(s)