XML Injection Attack

From Guidance Share
Jump to navigationJump to search


Attacker builds XML from malicious input. (check xpath injection attacks)


  • Inappropriate or lacking schema validation
  • Dynamic XML generation using untrusted input


  • Validate schema against a defined XSD
  • Perform context-sensitive encoding of untrusted input using an encoding library (e.g., IOSec)
  • Untrusted input should be validated against an inclusion list before use (e.g., RegEx pattern, primitive type casting, domain constraint, etc.)