XQuery Injection Mea Culpa

There was a paper at the 2011 Balisage about XQuery Injection attacks.  The paper focuses on attacks against eXist but got me thinking.
http://www.balisage.net/Proceedings/vol7/html/Vlist02/BalisageVol7-Vlist02.html

Usually when we talk about Injection attacks at ML, we focus on xdmp:eval() and xdmp:value() and making sure that the input string is not derived from user supplied data.

With injection attacks in mind, I turned my attention to source code I wrote for a project going live this month and found the following:

let $uri := xdmp:get-request-field($cfg:URI_PARAM, ())
let $doc := fn:doc($uri)/element()
return
   v:render( $doc )

So the web client clicks on a link  something like

<a href="/page/render?uri=%2Fdoc%2F1.xml">link</a>

and gets an XHTML rendering of the document at URI “/doc/1.xml”.   The only things in the content database of this HTTP server are  <doc:doc> XML documents which 100% of the user base are allowed to see and <audit:audit> XML audit logs, which are really meant only for admins.  It may not the biggest attack vulnerability but a user could URL-BASH to see other user’s audit logs.    Making the following change solves the problem:

let $doc := fn:doc($uri)/doc:doc

I then got paranoid and put in 2 or 3 other safeguards, but you get my point.  Here are some tips I have compiled:

  • Watch out for passing user contributed strings into fn:doc(), fn:collection() as well as xdmp:eval() and xdmp:value() if you aren’t using document permissions for security.
  • Prefer XPath to fn:doc() when selecting documents for update.
  • Never store a user’s password as plaintext in XML.  If you aren’t using the security database users, 1-way hash+salt those passwords or database hipsters will call you names.
  • Throw in an extra xdmp:request-timestamp() value assert to force read-only transactions where appropriate.  This is most likely to help protect you down the road in O&M when others are quickly modifying the code base to solve problems or add features.

Citation:

van der Vlist, Eric. “XQuery Injection: Easy to exploit, easy to prevent….” Presented at Balisage: The Markup Conference 2011, Montréal, Canada, August 2 – 5, 2011. In Proceedings of Balisage: The Markup Conference 2011. Balisage Series on Markup Technologies, vol. 7 (2011). doi:10.4242/BalisageVol7.Vlist02.

One comment

  1. I caught this same kind of thing in some of my code last night — an endpoint intended to retrieve images could have been used to get user information. Quickly fixed, but your point that vulnerabilities aren’t just about eval()/value() is a good one.