资源描述:
《xpath注入攻击及防范》由会员上传分享,免费在线阅读,更多相关内容在工程资料-天天文库。
1、XPath注入攻击及防范AttackandpreventionofXPathinjectionAuthor:RobiSensource:Eaglebasedate:2007-11-0717:19:41WiththedevelopmentofsimpleXML,API,Webservices,andRichInternetApplications(RIAs),moreorganizationsuseXMLasdataformatinalmostallaspects(fromconfigurationf订estoremoteprocedurecalls)・Somepeoplehav
2、ebeenusingtheXMLdocumentinsteadofatextfileorarelationaldatabaseismoretraditional,butwithanyotherusersubmitteddataallowsexternalapplicationsorsimilartechnology,XMLapplicationmaybevulnerabletocodeinjectionattacks,especiallyXPathinjectionattacks・briefintroductionWiththeemergenceofnewtechnologie
3、sandgooduse,thethreattothesetechnologieshasalsoincreased・SQLblindattackisawellknownformofcodeinjection,buttherearemanyotherforms,someofwhichhavenotyetbeenwe11documentedandunderstood・RecentlyacodeinjectionattackisXPathinjectionattacks,ituseslooseinputanderrortoleraneeofXPathparser,sodisgruntl
4、edpeoplecanforminURL,withmaliciousorothermethodsontheXPathquerytoobtainpermissioninformationaccessandchangetheinformation.ThisarticleexamineshowtoexecuteXPathattacksingeneralandprovidesdnexampleofJavaandXMLenvironments・Itdiscusseshowtodetectsuchthreats,examineshowtomitigatethethreat,andfinal
5、lydiscusseshowtodealwithsuspiciousintrusions・IntroductionThispaperintroducesaspecialtypeofcodeinjectionattack:XPathblindannotation.IfyouarenotfamiliarwithXPath1orneedtounderstandthebasics,checkouttheW3SchoolsXPathtutorial(seeresourcesforlinks)・YoucanalsofindagreatdealofarticlesonusingXPathin
6、avarietyoflanguageenvironmentsondeveloperWorks(seeresourcesforlinks)・TheexamplesusedinthisarticleareprimarilyforXPath1,butcanalsobeusedforXPath2.XPath2actuallyaddstotheproblemsyoumightencounter・ThisarticlealsoprovidesanexampleoftheJavacodethathandlesJavaJDK5.Atthesametime,theconceptsandtheme
7、softhisarticlearecrossplatform,andifyourapplicationusesXPathtogetaspecialcodeexample,youmustuseJDK5.CodeinjectionAmorecommonattackandthreattoWebapplicationsissomeformofcodeinjection,andWikipediadefinesitas:Thetechniqueofintroducing(orinjecting)code