Is it a vulnerable using CDATA element in XML documents? If so what happens if we use CDATA element in XML documents?
A:
Vulnerable to what? An injection attack of some kind? CDATA tells the parser to pass the contents without parsing it, so if you're validating your XML I suppose the CDATA section misses out on the validation step.
The code that uses the XML stream should have some kind of business validation above and beyond the schema validation, so you're only at risk if you fail to check inputs before you use them.
duffymo
2009-11-13 11:07:08
+3
A:
A CDATA section is simply another way of representing character data within an XML document. It means exactly the same thing as any other (non-tag) text in a document, except that it's escaped differently.
There is no extra "vulnerability" associated with CDATA (except for bugs in your XML parsing library, of course).
Greg Hewgill
2009-11-13 11:08:39
but what happens if the text entered between cdata elements are not parsed by the parser. a malicious user can keep some kind of data that extracts all of the system commands of the target application as it is not parsed by the xml parser. i think this is a type of vulnerbility.
Madhan
2009-11-13 11:29:58
bobince
2009-11-13 11:35:27
Data in CDATA blocks *is* parsed by the parser. Specifically, the XML parser is looking for the `]]>` ending sequence. Everything else is treated as character data.
Greg Hewgill
2009-11-13 11:36:33
then what is coersive parsing attack?
Madhan
2009-11-13 11:44:21
If your question is about a specific kind of attack that you read about somewhere, then please ask *that* question instead of trying to make us read your mind.
Greg Hewgill
2009-11-13 11:56:26
“Coercive parsing” is primarily a denial-of-service attack aimed at tying up client resources by making them parse large, complex nested XML structures. Whilst an exceptionally idiotic XML parser might allow a resultant stack overflow or error handling condition to execute arbitrary code, that's very much a fault of a broken parser and not XML's problem. Either way, you can't make a complex nested document out of CDATA sections because they don't nest.
bobince
2009-11-13 12:29:24
+2
A:
I don't know what you mean by ‘vulnerability’, but there is one mistake many people make with CDATA sections. This happens when a lazy programmer doesn't really understand text-escaping, and tries to avoid the normal process of &-encoding special characters in XML. They think they can get away with:
print "<element><![CDATA["+textstring+"]]></element>";
and whilst this will indeed stop a < or & character in textstring being treated as markup, it's not watertight because textstring might contain a ]]> sequence, resulting in:
<element><![CDATA[ Foo ]]> <bar>I'm an unexpected element!</bar> ]]></element>
This is an XML-injection, which like an HTML-injection could potentially have an XSS-like security impact.
So you'd still need to escape some sequences in CDATA (usually, you would split a ]]> sequence between two CDATA sections). In practice that makes using CDATA no easier than just &-encoding your text content the normal way. So really there is no reason ever to use a CDATA section.
bobince
2009-11-13 11:44:10