ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6399/impact.adoc
github-actions[bot] 64f9977e49
Create rule S6399(C#): XML operations should not be vulnerable to injection attacks (#2860) 
You can preview this rule
[here](https://sonarsource.github.io/rspec/#/rspec/S6399/csharp)
(updated a few minutes after each push).

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com>
Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com>
Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
2023-08-18 11:31:42 +02:00

42 lines
2.0 KiB
Plaintext
Raw Blame History

=== What is the potential impact?
The consequences of an XML injection attack on an application vary greatly
depending on the application's logic. It can affect the application itself or
another element if the XML document is used for cross-component data exchange.
For this reason, the actual impact can range from benign information disclosure
to critical remote code execution.
==== Information disclosure
An attacker can forge an attack payload that will modify the XML document so
that it will become syntactically incorrect. In that case, when the data is
later used, the parsing component will raise a technical error. If displayed
back to the attacker or made available through log files, this technical error
may disclose sensitive business or technical information.
This scenario, while in general the less severe one, is the most frequently
encountered. It can combine with any other logic-dependant threat.
==== Internal requests tampering
Some applications communicate with backend micro-services APIs using XML-based
protocols such as SOAP. When those applications are vulnerable to XML
injections, attackers can tamper with the internal requests' content. This will
allow them to change internal requests' parameters or locations which, in turn,
can lead to various consequences like performing unauthorized actions or
accessing sensitive data.
For example, altering a user creation request in such a way can lead to a
privilege escalation if attackers manage to modify the default account privilege
level.
==== Code execution
An application might build objects based on an XML serialization string. In that
case, an attacker that would exploit an XML injection could be able to alter the
serialization string to modify the corresponding object's properties.
Depending on the deserialization process, this might allow instantiating
arbitrary objects or objects with sensitive properties altered. This can lead to
arbitrary code being executed in the same way as a deserialization injection
vulnerability.
Reference in New Issue View Git Blame Copy Permalink