{"id":479730,"date":"2023-08-09T10:43:58","date_gmt":"2023-08-09T10:43:58","guid":{"rendered":""},"modified":"2023-09-05T11:19:26","modified_gmt":"2023-09-05T11:19:26","slug":"xml-injection","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/cn\/wiki\/xml-injection\/","title":{"rendered":"XML \u6ce8\u5165"},"content":{"rendered":"<p>\u5173\u4e8e XML \u6ce8\u5165\u7684\u7b80\u8981\u4fe1\u606f<\/p>\n<p>XML \u6ce8\u5165\u662f\u4e00\u79cd\u653b\u51fb\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5c06\u4efb\u610f XML \u4ee3\u7801\u6ce8\u5165 XML \u6587\u6863\u3002\u7136\u540e\uff0c\u5e94\u7528\u7a0b\u5e8f\u53ef\u4ee5\u89e3\u6790\u548c\u6267\u884c\u6b64\u6076\u610f\u4ee3\u7801\uff0c\u4ece\u800c\u5bfc\u81f4\u672a\u7ecf\u6388\u6743\u7684\u6570\u636e\u8bbf\u95ee\u3001\u7ed5\u8fc7\u5b89\u5168\u63aa\u65bd\uff0c\u5e76\u53ef\u80fd\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002<\/p>\n<h2>XML \u6ce8\u5165\u7684\u8d77\u6e90\u5386\u53f2\u53ca\u5176\u9996\u6b21\u63d0\u53ca<\/h2>\n<p>XML \u6ce8\u5165\u53ef\u4ee5\u8ffd\u6eaf\u5230 XML \u6280\u672f\u672c\u8eab\u7684\u65e9\u671f\u3002\u968f\u7740 XML \u5728 20 \u4e16\u7eaa 90 \u5e74\u4ee3\u672b\u6210\u4e3a\u6570\u636e\u4ea4\u6362\u548c\u5b58\u50a8\u7684\u6807\u51c6\uff0c\u5b89\u5168\u7814\u7a76\u4eba\u5458\u5f88\u5feb\u53d1\u73b0\u4e86\u5176\u6f5c\u5728\u7684\u6f0f\u6d1e\u3002\u9996\u6b21\u516c\u5f00\u63d0\u53ca XML \u6ce8\u5165\u53ef\u4ee5\u8ffd\u6eaf\u5230 2000 \u5e74\u4ee3\u521d\u7684\u5b89\u5168\u516c\u544a\u548c\u8bba\u575b\uff0c\u5f53\u65f6 XML \u89e3\u6790\u5668\u7684\u6f0f\u6d1e\u5f00\u59cb\u88ab\u8bb0\u5f55\u4e0b\u6765\u3002<\/p>\n<h2>\u6709\u5173 XML \u6ce8\u5165\u7684\u8be6\u7ec6\u4fe1\u606f\u3002\u6269\u5c55\u4e3b\u9898 XML \u6ce8\u5165<\/h2>\n<p>XML \u6ce8\u5165\u7279\u522b\u5371\u9669\uff0c\u56e0\u4e3a XML \u5e7f\u6cdb\u5e94\u7528\u4e8e Web \u5e94\u7528\u7a0b\u5e8f\u3001Web \u670d\u52a1\u548c\u8bb8\u591a\u5176\u4ed6\u9886\u57df\u3002\u5b83\u6d89\u53ca\u5c06\u6076\u610f XML \u5185\u5bb9\u63d2\u5165 XML \u6587\u6863\uff0c\u8fd9\u53ef\u80fd\u5bfc\u81f4\uff1a<\/p>\n<ul>\n<li>\u8fdd\u53cd\u4fdd\u5bc6\u89c4\u5b9a<\/li>\n<li>\u8fdd\u53cd\u8bda\u4fe1<\/li>\n<li>\u62d2\u7edd\u670d\u52a1 (DoS)<\/li>\n<li>\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c<\/li>\n<\/ul>\n<p>XML \u5728 SOAP\uff08\u7b80\u5355\u5bf9\u8c61\u8bbf\u95ee\u534f\u8bae\uff09\u7b49\u6280\u672f\u4e2d\u7684\u5e7f\u6cdb\u4f7f\u7528\u8fdb\u4e00\u6b65\u52a0\u5267\u4e86\u98ce\u9669\uff0c\u5982\u679c\u5b9e\u65bd\u4e0d\u5f53\uff0c\u5b89\u5168\u673a\u5236\u53ef\u80fd\u4f1a\u88ab\u7ed5\u8fc7\u3002<\/p>\n<h2>XML \u6ce8\u5165\u7684\u5185\u90e8\u7ed3\u6784\u3002XML \u6ce8\u5165\u7684\u5de5\u4f5c\u539f\u7406<\/h2>\n<p>XML \u6ce8\u5165\u7684\u5de5\u4f5c\u539f\u7406\u662f\u64cd\u7eb5\u53d1\u9001\u5230\u5e94\u7528\u7a0b\u5e8f\u7684 XML \u6570\u636e\uff0c\u5229\u7528\u5f31\u8f93\u5165\u9a8c\u8bc1\u6216\u4e0d\u826f\u914d\u7f6e\u3002<\/p>\n<ol>\n<li><strong>\u653b\u51fb\u8005\u8bc6\u522b\u6613\u53d7\u653b\u51fb\u7684 XML \u8f93\u5165\uff1a<\/strong> \u653b\u51fb\u8005\u627e\u5230\u5e94\u7528\u7a0b\u5e8f\u89e3\u6790 XML \u6570\u636e\u7684\u70b9\u3002<\/li>\n<li><strong>\u521b\u5efa\u6076\u610f XML \u5185\u5bb9\uff1a<\/strong> \u653b\u51fb\u8005\u7cbe\u5fc3\u5236\u4f5c\u6076\u610f XML \u5185\u5bb9\uff0c\u5176\u4e2d\u5305\u62ec\u53ef\u6267\u884c\u4ee3\u7801\u6216\u5229\u7528 XML \u89e3\u6790\u5668\u903b\u8f91\u7684\u7ed3\u6784\u3002<\/li>\n<li><strong>\u6ce8\u5165\u5185\u5bb9\uff1a<\/strong> \u653b\u51fb\u8005\u5411\u5e94\u7528\u7a0b\u5e8f\u53d1\u9001\u6076\u610f XML \u5185\u5bb9\u3002<\/li>\n<li><strong>\u5f00\u53d1\uff1a<\/strong> \u5982\u679c\u6210\u529f\uff0c\u6076\u610f\u5185\u5bb9\u5c31\u4f1a\u6309\u7167\u653b\u51fb\u8005\u7684\u610f\u56fe\u6267\u884c\u6216\u5904\u7406\uff0c\u4ece\u800c\u5f15\u53d1\u5404\u79cd\u653b\u51fb\u3002<\/li>\n<\/ol>\n<h2>XML\u6ce8\u5165\u7684\u5173\u952e\u7279\u5f81\u5206\u6790<\/h2>\n<p>XML \u6ce8\u5165\u7684\u4e00\u4e9b\u4e3b\u8981\u7279\u6027\u5305\u62ec\uff1a<\/p>\n<ul>\n<li>\u5229\u7528\u914d\u7f6e\u8f83\u5f31\u7684 XML \u89e3\u6790\u5668\u3002<\/li>\n<li>\u901a\u8fc7\u6ce8\u5165\u6076\u610f\u4ee3\u7801\u7ed5\u8fc7\u5b89\u5168\u673a\u5236\u3002<\/li>\n<li>\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u67e5\u8be2\u6216\u547d\u4ee4\u3002<\/li>\n<li>\u53ef\u80fd\u5bfc\u81f4\u7cfb\u7edf\u5f7b\u5e95\u5d29\u6e83\u3002<\/li>\n<\/ul>\n<h2>XML \u6ce8\u5165\u7684\u7c7b\u578b<\/h2>\n<table>\n<thead>\n<tr>\n<th>\u7c7b\u578b<\/th>\n<th>\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u57fa\u672c\u6ce8\u5165<\/td>\n<td>\u6d89\u53ca\u7b80\u5355\u6ce8\u5165\u6076\u610f XML \u5185\u5bb9\u3002<\/td>\n<\/tr>\n<tr>\n<td>XPath \u6ce8\u5165<\/td>\n<td>\u5229\u7528 XPath \u67e5\u8be2\u6765\u68c0\u7d22\u6570\u636e\u6216\u6267\u884c\u4ee3\u7801\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u4e8c\u9636\u6ce8\u5c04<\/td>\n<td>\u4f7f\u7528\u5b58\u50a8\u7684\u6076\u610f XML \u5185\u5bb9\u7a0d\u540e\u6267\u884c\u653b\u51fb\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u76f2\u6ce8<\/td>\n<td>\u5229\u7528\u5e94\u7528\u7a0b\u5e8f\u7684\u54cd\u5e94\u6765\u63a8\u65ad\u4fe1\u606f\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>XML\u6ce8\u5165\u7684\u4f7f\u7528\u65b9\u6cd5\u3001\u4f7f\u7528\u4e2d\u9047\u5230\u7684\u95ee\u9898\u53ca\u89e3\u51b3\u65b9\u6cd5<\/h2>\n<p>XML \u6ce8\u5165\u53ef\u7528\u4e8e\u5404\u79cd\u6076\u610f\u76ee\u7684\uff0c\u4f8b\u5982\u7a83\u53d6\u6570\u636e\u3001\u63d0\u5347\u6743\u9650\u6216\u9020\u6210 DoS\u3002\u89e3\u51b3\u65b9\u6848\u5305\u62ec\uff1a<\/p>\n<ul>\n<li>\u6b63\u786e\u7684\u8f93\u5165\u9a8c\u8bc1<\/li>\n<li>\u4f7f\u7528\u5b89\u5168\u7f16\u7801\u5b9e\u8df5<\/li>\n<li>\u5b9a\u671f\u5b89\u5168\u5ba1\u8ba1\u548c\u6f0f\u6d1e\u8bc4\u4f30<\/li>\n<li>\u91c7\u7528 XML \u5b89\u5168\u7f51\u5173<\/li>\n<\/ul>\n<h2>\u4e3b\u8981\u7279\u70b9\u53ca\u5176\u4ed6\u4e0e\u540c\u7c7b\u4ea7\u54c1\u7684\u6bd4\u8f83<\/h2>\n<table>\n<thead>\n<tr>\n<th>\u5b66\u671f<\/th>\n<th>\u63cf\u8ff0<\/th>\n<th>\u76f8\u4f3c\u4e4b\u5904<\/th>\n<th>\u5dee\u5f02<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>XML \u6ce8\u5165<\/td>\n<td>\u5c06\u6076\u610f XML \u5185\u5bb9\u6ce8\u5165\u5e94\u7528\u7a0b\u5e8f\u3002<\/td>\n<td><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>SQL\u6ce8\u5165<\/td>\n<td>\u5c06\u6076\u610f SQL \u67e5\u8be2\u6ce8\u5165\u6570\u636e\u5e93\u67e5\u8be2\u3002<\/td>\n<td>\u4e24\u8005\u90fd\u6d89\u53ca\u6ce8\u5165\u548c\u5229\u7528\u8f93\u5165\u9a8c\u8bc1\u3002<\/td>\n<td>\u9488\u5bf9\u4e0d\u540c\u7684\u6280\u672f\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u547d\u4ee4\u6ce8\u5165<\/td>\n<td>\u5c06\u6076\u610f\u547d\u4ee4\u6ce8\u5165\u547d\u4ee4\u884c\u754c\u9762\u3002<\/td>\n<td>\u4e24\u8005\u90fd\u53ef\u80fd\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002<\/td>\n<td>\u4e0d\u540c\u7684\u76ee\u6807\u548c\u5f00\u53d1\u6280\u672f\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>\u4e0e XML \u6ce8\u5165\u76f8\u5173\u7684\u672a\u6765\u89c2\u70b9\u548c\u6280\u672f<\/h2>\n<p>\u7531\u4e8e XML \u7ee7\u7eed\u6210\u4e3a\u4e00\u79cd\u6d41\u884c\u7684\u6570\u636e\u4ea4\u6362\u683c\u5f0f\uff0c\u5b89\u5168\u793e\u533a\u6b63\u81f4\u529b\u4e8e\u5f00\u53d1\u66f4\u5f3a\u5927\u7684\u89e3\u6790\u673a\u5236\u548c\u6846\u67b6\u3002\u672a\u6765\u7684\u6280\u672f\u53ef\u80fd\u5305\u62ec\u4eba\u5de5\u667a\u80fd\u9a71\u52a8\u7684\u68c0\u6d4b\u7b97\u6cd5\u3001\u66f4\u5f3a\u5927\u7684\u6c99\u76d2\u6280\u672f\u548c\u5b9e\u65f6\u76d1\u63a7\u7cfb\u7edf\uff0c\u4ee5\u8bc6\u522b\u548c\u7f13\u89e3 XML \u6ce8\u5165\u653b\u51fb\u3002<\/p>\n<h2>\u5982\u4f55\u4f7f\u7528\u4ee3\u7406\u670d\u52a1\u5668\u6216\u5c06\u5176\u4e0e XML \u6ce8\u5165\u5173\u8054<\/h2>\n<p>\u4ee3\u7406\u670d\u52a1\u5668\uff08\u4f8b\u5982 OneProxy \u63d0\u4f9b\u7684\u4ee3\u7406\u670d\u52a1\u5668\uff09\u5728\u9632\u5fa1 XML \u6ce8\u5165\u65b9\u9762\u53d1\u6325\u7740\u91cd\u8981\u4f5c\u7528\u3002\u901a\u8fc7\u8fc7\u6ee4\u3001\u76d1\u63a7\u548c\u8bb0\u5f55 XML \u6d41\u91cf\uff0c\u4ee3\u7406\u670d\u52a1\u5668\u53ef\u4ee5\u68c0\u6d4b\u53ef\u7591\u6a21\u5f0f\u3001\u963b\u6b62\u6076\u610f\u8bf7\u6c42\u5e76\u63d0\u4f9b\u989d\u5916\u7684\u5b89\u5168\u4fdd\u62a4\u3002<\/p>\n<h2>\u76f8\u5173\u94fe\u63a5<\/h2>\n<ul>\n<li><a href=\"https:\/\/owasp.org\/www-community\/vulnerabilities\/XML_External_Entity_(XXE)_Processing\" target=\"_new\" rel=\"noopener nofollow\">OWASP XML \u5916\u90e8\u5b9e\u4f53 (XXE) \u5904\u7406<\/a><\/li>\n<li><a href=\"https:\/\/www.w3.org\/XML\/\" target=\"_new\" rel=\"noopener nofollow\">W3C XML \u89c4\u8303<\/a><\/li>\n<li><a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/91.html\" target=\"_new\" rel=\"noopener nofollow\">MITRE \u7684 XML \u6ce8\u5165\u5e38\u89c1\u5f31\u70b9\u679a\u4e3e<\/a><\/li>\n<\/ul>\n<p>\u8fd9\u4e9b\u94fe\u63a5\u63d0\u4f9b\u4e86\u6709\u5173 XML \u6ce8\u5165\u3001\u5176\u673a\u5236\u4ee5\u53ca\u9632\u5fa1\u65b9\u6cd5\u7684\u5927\u91cf\u4fe1\u606f\u3002\u5229\u7528\u8fd9\u4e9b\u8d44\u6e90\u53ef\u4ee5\u66f4\u5168\u9762\u5730\u4e86\u89e3\u548c\u9632\u5fa1 XML \u6ce8\u5165\u3002<\/p>","protected":false},"featured_media":479731,"menu_order":0,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"class_list":["post-479730","wiki","type-wiki","status-publish","has-post-thumbnail","hentry"],"acf":{"faq_title":"Frequently Asked Questions about <mark>XML Injection<\/mark>","faq_items":[{"question":"What is XML Injection?","answer":"<p>XML Injection is a type of security attack where an attacker injects arbitrary XML code into an XML document, which can then be parsed and executed by the application. This can lead to unauthorized access to data, bypassing security measures, and even remote code execution.<\/p>"},{"question":"What is the history of XML Injection?","answer":"<p>XML Injection can be traced back to the late 1990s, with the rise of XML technology. The first public mention of this vulnerability appeared in the early 2000s, as security researchers started to explore the exploitation of XML parsers.<\/p>"},{"question":"How does XML Injection work?","answer":"<p>XML Injection involves identifying vulnerable XML input within an application, crafting malicious XML content, injecting this content, and exploiting it to achieve various attacks such as data theft, system compromise, or denial of service.<\/p>"},{"question":"What are the key features of XML Injection?","answer":"<p>The key features of XML Injection include exploiting weakly configured XML parsers, bypassing security mechanisms by injecting malicious code, executing unauthorized queries or commands, and potentially leading to a complete system compromise.<\/p>"},{"question":"What types of XML Injection exist?","answer":"<p>Types of XML Injection include Basic Injection, XPath Injection, Second-order Injection, and Blind Injection. These variations depend on the method and purpose of the attack.<\/p>"},{"question":"How can XML Injection be prevented?","answer":"<p>XML Injection can be prevented through proper input validation, the use of secure coding practices, regular security audits and vulnerability assessments, and employing XML security gateways.<\/p>"},{"question":"How are proxy servers like OneProxy associated with XML Injection?","answer":"<p>Proxy servers like OneProxy can be used to defend against XML Injection. They can filter, monitor, and log XML traffic to detect suspicious patterns and block malicious requests, providing an additional layer of security.<\/p>"},{"question":"What are the future perspectives and technologies related to XML Injection?","answer":"<p>Future perspectives related to XML Injection include the development of more robust parsing mechanisms, AI-driven detection algorithms, advanced sandboxing techniques, and real-time monitoring systems to identify and mitigate XML Injection attacks.<\/p>"},{"question":"How does XML Injection compare to other similar attacks like SQL Injection?","answer":"<p>While both XML Injection and SQL Injection involve the injection of malicious content and exploit weak input validation, they target different technologies. XML Injection focuses on XML data and parsers, whereas SQL Injection targets database queries. Both can lead to serious security breaches but require different approaches to exploit and prevent.<\/p>"}]},"_links":{"self":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki\/479730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki"}],"about":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/types\/wiki"}],"version-history":[{"count":0,"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki\/479730\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/media\/479731"}],"wp:attachment":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/media?parent=479730"}],"curies":[{"name":"\u53ef\u6e7f\u6027\u7c89\u5242","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}