XML Injection
What is XML Injection?
XML InjectionAn attack that inserts malicious XML tags, attributes, or XPath fragments into an application's XML processing to alter logic or extract data.
XML injection occurs when user input is embedded into XML documents, SOAP messages, or XPath queries without proper encoding or validation. Attackers add new elements (XML injection), tamper with the document hierarchy (XML structural attacks), or modify XPath expressions (XPath injection) to bypass authentication, escalate privileges, or read arbitrary parts of an XML data source. Related variants include XML External Entity (XXE) attacks, which exploit the entity-resolution feature of XML parsers. Defences are strong schema validation (XSD), parameterized XPath APIs, encoding of all untrusted values inserted into XML, disabling unused parser features, and using hardened libraries with safe defaults.
● Examples
- 01
Submitting <username>admin</username><!--<password>x</password>--> to comment out the password element and gain admin access.
- 02
Injecting ' or '1'='1 into an XPath login query that selects the first user when authentication fails open.
● Frequently asked questions
What is XML Injection?
An attack that inserts malicious XML tags, attributes, or XPath fragments into an application's XML processing to alter logic or extract data. It belongs to the Attacks & Threats category of cybersecurity.
What does XML Injection mean?
An attack that inserts malicious XML tags, attributes, or XPath fragments into an application's XML processing to alter logic or extract data.
How do you defend against XML Injection?
Defences for XML Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for XML Injection?
Common alternative names include: XPath injection (related).