[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

249461

 
 

909

 
 

195508

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Missing XML Validation

ID: 112Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The software accepts XML from an untrusted source but does not validate the XML against the proper schema.

Extended Description

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Integrity
 		Unexpected state
 		 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
  Always validate XML input against a known XML Schema or DTD.
 		  

Relationships

Related CWETypeViewChain
CWE-112 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code excerpt creates a non-validating XML DocumentBuilder object (one that doesn't validate an XML document against a schema).
  2. The following code loads an XML file without validating it against a known XML Schema or DTD.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Missing XML Validation
 		 

References:
None
CVE    1
CVE-2020-27282

© SecPod Technologies