Injecting Unintended XML

Abstract

Whenever we pen test an application and we see that the application functionality has XML parsing in the backend, we try to pen test the app with XML injection issues. Usually we use an XML parser to check whether the client application’s XML document is properly formatted or not. We also validate the XML documents with that XML parser. Before penetration testing any application with XML injection issues, using XML parsers is a normal procedure. This type of XML injection can cause medium to severe kind of damages to the application. It can alter the intended logic of the application. That is the reason why we call it unintended XML injection.