BaseDraft

CWE-112Missing XML Validation

Category: other

Description

The product accepts XML from an untrusted source but does not validate the XML against the proper schema. Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.

Common consequences· 1

  • Integrity — Unexpected State

Potential mitigations· 1

  • [Architecture and Design]

Related CAPEC attack patterns· 2

CAPEC-230CAPEC-231

References

  1. https://cwe.mitre.org/data/definitions/112.html

Exploits (incoming)2

TypeTargetConfidenceTier
AttackPatternOversized Serialized Data Payloadscapec-231100%live
AttackPatternSerialized Data with Nested Payloadscapec-230100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Control of Document Type Definition
CWE
Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
CWE
Insufficient Verification of Data Authenticity
CWE
Deserialization of Untrusted Data
CWE
XML Injection (aka Blind XPath Injection)
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.