Audit - Rules - XML FilesDescriptionThis group contains audit rules that look for problems in XML files. |
Rules: |
Summary XML attribute names should be spelled correctly. Description This audit rule finds XML attribute names that contain misspelled words.
Summary XML attribute values should be spelled correctly. Description This audit rule finds XML attribute values that contain misspelled words.
Summary XML body text should be spelled correctly. Description This audit rule finds XML body text that contain misspelled words.
Summary XML comments should be spelled correctly. Description This audit rule finds XML comments that contain misspelled words.
Summary XML tag names should be spelled correctly. Description This audit rule finds XML tag names that contain misspelled words.
Summary
All XML data entering the program should be validated by a parser against a DTD or XML Schema.
Description
Validating incoming data against a predefined model leaves less space for errors that could be exploited by an attacker. All XML data entering the program should be validated either against a DTD (using factory's setValidating(true)
method), or against an XML Scheme (using factory's setSchema(Schema schema)
method), or using Java 5 javax.xml.validation
facilities.
Security Implications
Exploits in the data model can be used by an attacker to perform an injection attack.
Example
The following code does not use any of validation techniques before accessing and using DOM data and would thus be marked as violation:
DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(url).getDocumentElement();