1. Home
  2. CWE Database
  3. CWE-112
Base · Medium

CWE-112: Missing XML Validation

The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

CWE-112 · Base Level ·1 Mitigations

Description

The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.

Potential Impact

Integrity

Unexpected State

Demonstrative Examples

The following code loads and parses an XML file.
Bad
// Read DOM
                     try {...DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setValidating( false );....c_dom = factory.newDocumentBuilder().parse( xmlFile );} catch(Exception ex) {...}
The XML file is loaded without validating it against a known XML Schema or DTD.
The following code creates a DocumentBuilder object to be used in building an XML document.
Bad
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();builderFactory.setNamespaceAware(true);DocumentBuilder builder = builderFactory.newDocumentBuilder();
The DocumentBuilder object does not validate an XML document against a schema, making it possible to create an invalid XML document.

Mitigations & Prevention

Architecture and Design

Always validate XML input against a known XML Schema or DTD. It is not possible for an XML parser to validate all aspects of a document's content because a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-1286: Improper Validation of Syntactic Correctness of Input

The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not ...

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Missing XML Validation
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-112?

CWE-112 (Missing XML Validation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

How can CWE-112 be exploited?

Attackers can exploit CWE-112 (Missing XML Validation) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-112?

Key mitigations include: Always validate XML input against a known XML Schema or DTD. It is not possible for an XML parser to validate all aspects of a document's content because a parser cannot understand

What is the severity of CWE-112?

CWE-112 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.