2

Do JAX-RPC and Axis2 have built-in support for XML injection?

If not, how can I add custom code to perform escaping and schema validations on my own?

Edit: I looked at the code generated by JAX-RPC, it looks like the code performs schema validations - so that is one step towards protection from XML injection. The question that remains is - what about character escaping?

About Axis2 - I think it is done based on annotations on the actual beans that represent the model - so if there are no restriction annotations - it seems like XML injection is possible - but I would prefer an expert's answer on that as well.

RonK
  • 9,472
  • 8
  • 51
  • 87

1 Answers1

1

I would be surprised if either of these technologies were vulnerable to XML injection (do you mean XPath injection by the way?). They are build on standard Java APIs like JAXP which have been around for a long time, and escape any dangerous characters <, & etc automatically.

That doesn't mean you don't have to be careful you don't introduce injection vulnerabilities when using these technologies in your own application. For example, it still seems difficult to parameterized XPath queries safely in Java.

artbristol
  • 32,010
  • 5
  • 70
  • 103
  • Thank you for the answer, during `serialization` I'm sure they perform escaping. But during `de-serializaton` there is not much left to do. If I have a server, and my client is not using any of those tools - it will leave room for anyone to manipulate the XML before it reaches me. It will leave me still vulnerable. – RonK Jun 28 '11 at 11:15
  • I'm not sure we're using the same definition of XML injection. Perhaps you could update your question with precisely what you mean? – artbristol Jun 28 '11 at 11:18