Missing XML Validation
Weakness ID: 112 (Weakness Base)Status: Draft
+ Description

Description Summary

The software accepts XML from an untrusted source but does not validate the XML against the proper schema.

Extended Description

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

The following code loads an XML file without validating it against a known XML Schema or DTD.

(Bad Code)
Example Language: Java 
// Read DOM
try {
...
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setValidating( false );
....
c_dom = factory.newDocumentBuilder().parse( xmlFile );
} catch(Exception ex) {
...
}

Example 2

The following code excerpt creates a non-validating XML DocumentBuilder object (one that doesn't validate an XML document against a schema).

(Bad Code)
Example Language: Java 
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
builderFactory.setNamespaceAware(true);
DocumenbBuilder builder = builderFactory.newDocumentBuilder();
+ Potential Mitigations

Always validate XML input against a known XML Schema or DTD.

+ Other Notes

It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsMissing XML Validation
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
99XML Parser Attack
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Demonstrative Example, Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Description, Other Notes
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-10-29CWE Content TeamMITREInternal
updated Description