Weak XML Schema: Lax Processing

ABSTRACT

當 processContents 屬性設為 lax 或 skip 時，不會對通配符元素和屬性執行輸入驗證。

EXPLANATION

不強制執行嚴格輸入驗證的架構，會允許任意元素或屬性通過驗證。這為攻擊者將惡意文檔侵入系統打開了通道。

示例：假設您使用以下兩種架構進行驗證。

架構 1：

<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" >
<xs:element name="cart" >
<xs:complexType>
<xs:sequence>
	<xs:element name="itemID" maxOccurs="1" />
	<xs:any namespace="http://itemInfo" processContents="lax" minOccurs="1" maxOccurs="5"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

<?xml version="1.0"?>
<xsd:schema targetNamespace="http://itemInfo" xmlns:xsd="http://www.w3.org/2001/XMLSchema" >
<xsd:element name="name" type="xsd:string"/>
<xsd:element name="description" type="xsd:string"/>
</xsd:schema>

<?xml version=\"1.0\" ?>
<cart xmlns:itemInfo="http://itemInfo">
<itemID>123</itemID>
<itemInfo:name>Shoes</itemInfo:name>
<itemInfo:description>Black Shoes</itemInfo:description>
<itemInfo:price>1.00</itemInfo:price>
</cart>

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input

[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A2 Injection Flaws

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I

[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3510 CAT I

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 20

[7] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 020

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.2

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1

[11] Standards Mapping - FIPS200 - (FISMA) SI

[12] XML Schema Part 1:Structures Second Edition W3C