CWE-112: Missing XML Validation

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application accepted and processed XML input without validating it against a defined schema (XSD/DTD), allowing malformed structures, unexpected elements, or malicious content to be processed. DAST tools identify this by:

Detection Methods:

• Schema Violation Testing: Submitting XML with unexpected elements, missing required fields, or invalid data types
• Structural Attacks: Testing deeply nested XML (XML bomb/billion laughs), extremely large elements, excessive attributes
• XXE (XML External Entity) Probes: Injecting external entity declarations to test if parser processes DTDs:

  <?xml version="1.0"?>
  <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
  <data>&xxe;</data>
  

• Attribute Injection: Adding unexpected attributes that may override security settings or behavior
• Processing Instruction Injection: Testing <?xml-stylesheet?>, <?php?>, and other PIs for execution
• Encoding Attacks: Submitting invalid character encodings, UTF-7, or BOM variations to bypass validation

HTTP Evidence:

• Successful HTTP 200 responses processing invalid XML that should be rejected by schema validation
• Application state changes from unexpected XML elements (e.g., <isAdmin>true</isAdmin> when not in schema)
• Error messages revealing parser details without schema enforcement ("Unknown element 'malicious'", "Unexpected attribute")
• XXE evidence: file content in responses (root:x:0:0 from /etc/passwd), DNS/HTTP callbacks to scanner (Collaborator)
• Performance degradation or timeouts from XML bombs (billion laughs, quadratic blowup)
• Processing of injection payloads within XML content (XPath injection, SQL injection in element values)

Scanner Behavior: OWASP ZAP (XXE rule 90019, XML External Entity Injection) and PortSwigger Burp Scanner test XML endpoints by submitting invalid structures, XXE payloads, and schema violations. They monitor for successful processing of malformed XML, file disclosure via XXE, and SSRF via external entities. Some scanners use timing analysis to detect XML bombs.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

When reviewing your security scan results, you'll see:

HTTP Request Details

• URL and endpoint that triggered the finding
• HTTP method (GET, POST, etc.)
• Query parameters or form data with test payloads
• Request headers and body content

HTTP Response Evidence

• Response showing the vulnerability manifestation
• Evidence of improper handling or injection
• Runtime behavior indicators

Attack Vector

• Which parameter or input is vulnerable
• Type of exploitation possible
• Context where the vulnerability appears

Mapping DAST Findings to Source Code

Find the Vulnerable Endpoint

Use the HTTP request URL to locate the code:

# Search for the URL path in your codebase
grep -r "/api/endpoint" src/
grep -r "route.*endpoint" src/

Locate the Route Handler

Common patterns to search for:

• Python Flask/Django: @app.route('/api/endpoint'), path('endpoint/', ...)
• Node.js Express: app.get('/api/endpoint', ...), router.get('/api/endpoint', ...)
• Java Spring: @GetMapping("/api/endpoint"), @RequestMapping("/api/endpoint")
• ASP.NET: [Route("endpoint")], MapRoute("endpoint", ...)
• PHP: $_GET['param'], route definitions in routing files

Find the Parameter Handling

Search for the vulnerable parameter name:

# Find where the parameter is accessed
grep -r "request.args.get('param')" src/     # Python Flask
grep -r "req.query.param" src/               # Node.js
grep -r "@RequestParam.*param" src/          # Java Spring
grep -r "Request.QueryString['param']" src/  # ASP.NET
grep -r "$_GET['param']" src/                # PHP

Trace to Vulnerable Operation

Look for where the parameter is used in:

• Sensitive operations (database queries, commands, file access)
• Output rendering or response construction
• Authentication or authorization checks

Remediation

Core principle: Never process untrusted XML without validating it against a strict, application-defined schema; reject any XML that does not conform exactly to the expected structure.

→ For comprehensive remediation guidance, see Static CWE-112 Guidance

Verification and Follow-Up Testing

After applying the fix:

Reproduce the Vulnerability

# Use curl to replay the exact request
curl "http://localhost:3000/api/endpoint?param=value"

# Or use browser DevTools Network tab to copy as cURL

Verify the Fix

• Confirm incoming XML is validated against a strict XSD
• Confirm unexpected elements/attributes are rejected, not ignored
• Confirm schema validation happens before business logic
• Confirm parser rejects malformed or incomplete XML
• Confirm validation failures return safe, generic errors

Re-run DAST Scanner

Run your dynamic scanner again on the fixed endpoint to confirm remediation.

Additional Resources

• CWE-112: Missing XML Validation
• OWASP Top 10 2025
• OWASP Top 10 2025 A05: Injection
• OWASP XML Security
• OWASP XXE
• OWASP ZAP XXE
• PortSwigger XXE for attack patterns.