XML Injection

XML Injection

In this post, we will see about XML injection. XML injection can also be said as XPath injection where we inject our payload which is more or less similar to SQL injection. We could check the availability of XML injection by using single quote. If it throws the error then there is XML injection. Our main in SQL injection or XML injection is to make query true due to which we could bypass it.


In this example, we are using the Mutillidae, which could be downloaded from https://sourceforge.net/projects/mutillidae/

Setup Mutillidae in your localhost and we are good to go. As you all are aware of OWASP top 10 changes in 2017 we have changed in the category. You can see the changes on our blog OWASP Top 10 2017.

Guys We also have our own Vulnerable Application (Extreme Vulnerable Node Application) available at Github XVNA, Try this out on your localhost.

XML Injection Video is uploaded to our Youtube Channel and you can see it below,

Link to our Youtube Channel Vegabird .

Prevention:

The prevention of XML injection can be done by properly managing and sanitizing any user input before it is allowed to reach the main program code. Most types of the XML injection attacks can be prevented by simply removing all the single and double quotes from the user input.

Post navigation



    • Related Articles

    • XML External Entity Injection

      Hi, This post is regarding XML External Entity Injection. An XML External Entity attack is a type of attack against an application that parses XML input. Attacks can include disclosing local files, which may contain sensitive data such as passwords ...
    • NoSql Injection

      In this tutorial, we will see how we can bypass NoSQL (MongoDB) in Extreme Vulnerable Node Application (XVNA). In normal SQL injection, we have few special characters which could use to find the vulnerability and so we have for NoSql. Most of the ...
    • OS Injection

      Hi, This post is regarding OS Injection. Injection always possible on user input field only. In OS injection first, we need to determine the Operating System (OS) on which the server running. So we are running on Windows and the payload varies. For ...
    • command injection

      Hi, This post is regarding Command Injection. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application ...
    • Error Based SQL Injection

      Hi, In this post, we will learn about Error-based SQL injection. We know that there are three types of SQL injection. Union Based Injection Error Based injection Blind SQL injection Now to find SQL injection we generally use ' single quote, using ...