XSLT injection
Description
XSLT (Extensible Stylesheet Language Transformations) injection occurs when an application processes user-controlled input as part of an XSLT stylesheet without proper validation. XSLT is a powerful language used to transform XML documents into other formats such as HTML, text, or different XML structures. When attackers can inject malicious XSLT code, they can exploit the transformation engine's capabilities to perform unauthorized actions on the server, potentially leading to severe security breaches including data theft, file system access, and remote code execution.
Remediation
Implement the following security measures to prevent XSLT injection attacks:
1. Input Validation and Sanitization:
Never allow user input to directly control XSLT stylesheet content. If user input must influence transformations, use a whitelist approach with predefined, safe templates.
2. Disable Dangerous XSLT Features:
Configure your XSLT processor to disable potentially dangerous functions:
// Java example - Secure TransformerFactory configuration TransformerFactory factory = TransformerFactory.newInstance(); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
3. Restrict File System and Network Access:
Disable document() and other functions that allow file system or network access. Use security managers or sandboxing to restrict XSLT processor capabilities.
4. Use Static Stylesheets:
Store XSLT stylesheets as static files on the server rather than constructing them from user input. Pass user data only as parameters to pre-defined, trusted stylesheets.
5. Apply Principle of Least Privilege:
Run the XSLT processor with minimal system permissions to limit the impact of successful exploitation.
6. Regular Security Updates:
Keep your XSLT processor libraries up to date with the latest security patches.