In this post, we will see about XML injection. XML injection can also be said as XPath injection where we inject our payload which is more or less similar to SQL injection. We could check the availability of XML injection by using single quote. If it throws the error then there is XML injection. Our main in SQL injection or XML injection is to make query true due to which we could bypass it.
In this example, we are using the Mutillidae, which could be downloaded from https://sourceforge.net/projects/mutillidae/
Setup Mutillidae in your localhost and we are good to go. As you all are aware of OWASP top 10 changes in 2017 we have changed in the category. You can see the changes on our blog OWASP Top 10 2017.
XML Injection Video is uploaded to our Youtube Channel and you can see it below,
Prevention:
The prevention of XML injection can be done by properly managing and sanitizing any user input before it is allowed to reach the main program code. Most types of the XML injection attacks can be prevented by simply removing all the single and double quotes from the user input.