OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
What is a CDATA injection attack?

Hi Folks,

Liam Quinn wrote:

> CDATA sections ... tend to be vectors for CDATA injection attacks.

What is a CDATA injection attack?

On the Open Web Application Security Project (OWASP) page [1] it has the following:

Suppose we have a node containing some text that will be displayed back to the user.


Then, an attacker can provide the following input:

$HTMLCode = <![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>

and obtain the following node:


During the processing, the CDATA section delimiters are eliminated, generating the following HTML code:


The result is that the application is vulnerable to XSS (Cross-site Scripting).

Is that a CDATA injection attack?

It raises several questions:

1. Their description says, 

       During the processing, ...

During what processing? XML parsing? Their example looks like HTML so why would there be XML parsing?

2. In their example they used multiple CDATA sections. Why? Couldn't the same attack be obtained using just one:

$HTMLCode = <![CDATA[<script>alert('XSS')</script>]]>

3. Also, couldn't the same attack be obtained by simply escaping the < characters:

$HTMLCode = &lt;script>alert('XSS')&lt;/script>

4. If yes, then why is it called a CDATA attack?


[1] https://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS