1. Home
  2. CWE Database
  3. CWE-91
Base · Medium

CWE-91: XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

CWE-91 · Base Level ·1 Mitigations

Description

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax.

Potential Impact

Confidentiality, Integrity, Availability

Execute Unauthorized Code or Commands, Read Application Data, Modify Application Data

Mitigations & Prevention

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an ups...

Taxonomy Mappings

  • PLOVER: — XML injection (aka Blind Xpath injection)
  • OWASP Top Ten 2007: A2 — Injection Flaws
  • OWASP Top Ten 2004: A6 — Injection Flaws
  • WASC: 23 — XML Injection
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-91?

CWE-91 (XML Injection (aka Blind XPath Injection)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

How can CWE-91 be exploited?

Attackers can exploit CWE-91 (XML Injection (aka Blind XPath Injection)) to execute unauthorized code or commands, read application data, modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-91?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-91?

CWE-91 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.