[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

What is a CDATA injection attack?

• From: "Costello, Roger L." <costello@mitre.org>
• To: "xml-dev@lists.xml.org" <xml-dev@lists.xml.org>
• Date: Wed, 22 Aug 2012 11:24:19 +0000

Hi Folks,

Liam Quinn wrote:

> CDATA sections ... tend to be vectors for CDATA injection attacks.

What is a CDATA injection attack?

On the Open Web Application Security Project (OWASP) page [1] it has the following:

------------------------------------------------------------------------
Suppose we have a node containing some text that will be displayed back to the user.

<html>
 $HTMLCode
 </html>

Then, an attacker can provide the following input:

$HTMLCode = <![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>

and obtain the following node:

<html>
  <![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>
 </html>

During the processing, the CDATA section delimiters are eliminated, generating the following HTML code:

<script>alert('XSS')</script>

The result is that the application is vulnerable to XSS (Cross-site Scripting).
------------------------------------------------------------------------

Is that a CDATA injection attack?

It raises several questions:

1. Their description says, 

       During the processing, ...

During what processing? XML parsing? Their example looks like HTML so why would there be XML parsing?


2. In their example they used multiple CDATA sections. Why? Couldn't the same attack be obtained using just one:

$HTMLCode = <![CDATA[<script>alert('XSS')</script>]]>


3. Also, couldn't the same attack be obtained by simply escaping the < characters:

$HTMLCode = &lt;script>alert('XSS')&lt;/script>


4. If yes, then why is it called a CDATA attack?

/Roger

[1] https://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29