tags:

views:

82

answers:

3
+1  Q: 

How to defend against hacking if a user submits XML

I have a feature where users can submit pure XML in a form. When my server gets the response I will validate it against a XML schema then I store it in the database. I never show the XML on a webpage unless it is in a form for editing. I use the XML to render html forms or text in a webpage and I will encode the text and never show the actual XML in a browser unless its for editing. Am I subject to alota of hacking? How can I better defend against this?

For example:

<criteria name="Performance" type="textbox">115 Horsepower</criteria>

Above will render either a table cell with the word 115 Horsepower in it or it my render a textbox with the word 115 Horsepower in it.

+1  A: 

Think in the direction of some parts of XML missing and some parts repeating twice or more. Take care of those edge cases in your schema.

Developer Art  2010-09-09 15:46:15
OK..i have edited my post
Luke101  2010-09-09 16:10:41
+1  A: 

Here's one example of an attack vector for XML content:

http://en.wikipedia.org/wiki/Billion_laughs

Matthew Wilson  2010-09-09 16:02:19
Not a billion laughs, 6.8x10^38 laughs.
KeithS  2010-09-09 16:06:34
Is there a way to defend against this kind of attack?
Luke101  2010-09-09 17:22:04
The Wiki page links to http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html which has guidelines for Java (disabling certain features of the XML parser). Presumably similar things would apply in other languages.
Matthew Wilson  2010-09-10 07:26:53
+2  A: 

The most likely "hacking" you should look out for is Persistent Cross-Site Scripting. Depending on how you're converting that XML into HTML, a malicious user could use it to create a tag or attribute that executes Javascript in the context of your domain. Make sure that you're only allowing a limited set of HTML tags and attributes to be created, and all data is properly sanitized before outputting as tag/attribute content.

It's hard to say exactly what you need to do without knowing all the details of your system, though. It would be best to have someone familiar with cross-site scripting review your code.

Bob  2010-09-09 19:20:21

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?