Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
Node is saved as draft in My Content >> Draft

  • XQuery Injection

    @ashwanimishra
    Recommendations Offline Message

    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 1.15k
    Comment on it

    Overview

    XQuery Injection is an attacking technique that occur when trusted data is concatenated into XQuery queries. This will allow the attacker to run any arbitrary queries that will affect the XML database. In other words, we can say this types of Injection applies to any application that will uses XQuery to query XML documents. Before that, let see what is XQuery is all about?

    XQuery

    XQuery Language is used to Query the data that is stored in a XML database. XQuery can be considered as the super set of the XPath language that appends SQL like syntax as well as some useful functions for Querying the XML Document. The Important feature of using XQuery are:

    • Compact syntax In building Queries of XQL.
    • Extracting information from a database for use in a web service or an application integration
    • Getting reports on XML content stored in an XML database
    • Transforming XML data to XHTML to be published on the Web
    • Quickly traversing XML tree.
    • Predicates filter out nodes that we don’t require.

    Examples:

    Any person or user can attack with an XQuery Expression for getting the information from XML database. Similar to SQL Injection, User can make such conditions that will make the query to be true for example, the given string can be used by attacker to get all the username from the database if it's not validated properly.

    doc(accounts.xml)//user[Name='*']

    Cause

    The main cause of such Injection can be :

    • Improper Input validation is performed that is used as a command to get executed in an application.
    • User Input are based on source that is not trust worthy.
    • Whenever Data is used to dynamically building an XQuery Expression.
    • Neglecting the Dangerous characters or escape strings that are usually used in XQuery queries to get the information from XML Database.

    Impact

    The main impacts basically depends on the types of Data that is appended in the queries. If the attacker is successful in exposing the data then he can take the complete control of the Application. The main consequences of these attack would leads to :

    • Failure of confidentiality.
    • Escalation of rights
    • Loss of Important Information
    • Modify or delete the Sensitive Information stored in XML Database.
    • Executing any code to allow the attacker to take complete control of the application

    Prevention

    • Developer should use CAPTCHA to forbid the use of the application by an automated tool.
    • Build Parameterized queries that will ensure separation between data plane and control plane.
    • Properly validate user input and Reject data where appropriate,
    • Do filter of escape character where appropriate.
    • Don’t use user-controllable input as part of XQL queries

    Thanks for Reading the blog...

     

    XQuery Injection Cause of XQuery Injection Impact of XQuery Injection Preventation techniques of XQuery Injection
    Comment on it

 0 Comment(s)

Sign In
Forgot Password?
                           OR                           
Create an account !!
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: