Menu Search Sign up

XML Injection


XML Injection is a threat that exploits web service applications that construct XML messages from user-supplied input. XML injection may result in leaking of sensitive/private information in backend web service applications, and/or loss of data integrity in backend web service applications.

Web applications often communicate with backend enterprise applications via the web service interface, which requires the front end web application to send XML requests to the backend web service providers. Web applications often take user input (taken out of the HTTP request query parameters or HTML form fields) and incorporate it in the XML message, which is then sent to the backend web service provider. The query results are then processed by the application and sometimes displayed to the user.

Privilege Escalation Example

To understand how XML injection works, let’s take a look at a privilege escalation example.

Suppose when a user registers with a web application, he fills out a web form and submits the following request:


The web application will use the user input to construct the following XML message:







Where <userid>500</userid> is not taken from any user input. Instead, it contains a value assigned by the web application as the user identifier. A userid value of “0” is reserved for administrator of the web application, and a userid value of “500” is used to indicate regular web users.

The web application will send the above XML message to the backend web service provider to store the registered user profile in the database.

Attacker’s Exploitation Step

The attacker can exploit the above logic by submitting the “password” value as follows for his registration:


The attacker will also need to submit the “mail” value as follows for his registration:


This will change the constructed XML message as below:







Note that in above XML message, the highlighted part where value 500 of element <userid> assigned by the web application (not taken from any user input) has been commented out, and the value of <userid> has become 0, meaning the user has registered as an administrator.