XSLT INJECTION

is a language enabling the transformation of XML documents. XSLT operates on XML-based data and it can select specific nodes from an XML document and change the XML structure.

XSLT can be used to define a data format which is subsequently enriched with data from the XML document. XSLT data is structured similarly to XML, but it contains XSL elements within nodes prefixed with the xsl-prefix

• Commonly Used XSL Elements

  • <xsl:template>: This element indicates an XSL template. It can contain a match attribute that contains a path in the XML document that the template applies to

  • <xsl:value-of>: This element extracts the value of the XML node specified in the select attribute

  • <xsl:for-each>: This element enables looping over all XML nodes specified in the select attribute

  • <xsl:sort>: This element specifies how to sort elements in a for loop in the select argument. Additionally, a sort order may be specified in the order argument

  • <xsl:if>: This element can be used to test for conditions on a node. The condition is specified in the test argument.

<?xml version="1.0" encoding="UTF-8"?>
<fruits>
    <fruit>
        <name>Apple</name>
        <color>Red</color>
        <size>Medium</size>
    </fruit>
    <fruit>
        <name>Banana</name>
        <color>Yellow</color>
        <size>Medium</size>
    </fruit>
    <fruit>
        <name>Strawberry</name>
        <color>Red</color>
        <size>Small</size>
    </fruit>
</fruits>

#output all fruits contained within the XML document as well as their color - sorted
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:template match="/fruits">
    Here are all fruits of medium size ordered by their color:
    <xsl:for-each select="fruit">
      <xsl:sort select="color" order="descending" />
        <xsl:if test="size = 'Medium'">
	  <xsl:value-of select="name"/> (<xsl:value-of select="color"/>)
	</xsl:if>
    </xsl:for-each>
  </xsl:template>
</xsl:stylesheet>

#output
Here are all fruits of medium size ordered by their color:
  Banana (Yellow)
  Apple (Red)

XSLT injection occurs whenever user input is inserted into XSL data before output generation by the XSLT processor. This enables an attacker to inject additional XSL elements into the XSL data, which the XSLT processor will execute during output generation

MITIGATION

• user input is not inserted into XSL data before processing by the XSLT processor

  • if user provided data is required to reflect values before processing, implement proper sanitization and input validation to avoid XSLT injection vulnerabilities

• run the XSLT processor as a low-privilege process

• prevent the use of external functions by turning off PHP functions within XSLT

• keeping the XSLT library up-to-date can mitigate the impact of potential XSLT injection vulnerabilities.