Describe how an XML injection attack can be performed.
An XML injection attack happens when a user inputs malicious XML tags into a web application. These tags trick the XML parser into altering the document’s structure.
Example: If a user enters 1</quantity><price>1.0</price> into a "quantity" field, the XML becomes:
1</quantity><price>1.0</price>
<quantity>1</quantity><price>1.0</price><quantity>1</quantity>
Run HTML
This adds a fake <price> tag, overriding the original price (e.g., changing it from 500.0 to 1.0).
<price>
Describe how an XML External Entity (XEE) attack can be performed.
An XEE attack exploits external entities in XML to access sensitive files or resources.
Example:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <Hack>&xxe;</Hack>
Here, the XML defines an entity xxe that points to the server’s /etc/passwd file. When parsed, the server replaces &xxe; with the file’s contents, leaking sensitive data.
xxe
/etc/passwd
&xxe;
Describe how an XML Bomb attack can be performed.
An XML Bomb uses nested entities to create exponential growth in data, crashing the server.
<!ENTITY lo1 "lo1">
<!ENTITY lo2 "&lo1;&lo1;&lo1;&lo1;">
...
<!ENTITY lo10 "&lo9;&lo9;&lo9;&lo9;">
Each entity references multiply previous ones. Parsing &lo10; would expand to billions of characters, consuming massive memory and causing a denial-of-service (DoS).
&lo10;
Describe how an XSD validation can be used to prevent XML injection attacks.
XSD validation checks if XML follows strict rules (elements, data types, structure).
Example: If an XSD specifies that <quantity> must be a number, injecting tags like <price>1.0</price> would violate the schema. The parser rejects the XML, blocking the attack.
<quantity>
<price>1.0</price>
How can XSD inheritance of simple types improve the input validation of XML
messages (give an example)?
XSD allows creating custom simple types with strict rules using facets.
<xs:simpleType name="PhoneNumber"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9]{3}-[0-9]{3}-[0-9]{4}"/> </xs:restriction> </xs:simpleType>
This defines a PhoneNumber type that only accepts values like 123-456-7890. Any invalid input (e.g., letters) is rejected, improving security.
PhoneNumber
123-456-7890
XSD validation acts like a "rulebook" for XML, blocking attacks by enforcing structure and data rules.
(restriction means we throw away all the elements from the base class and only keep the one listed)
Zuletzt geändertvor 2 Monaten