XSLT Injection
An attack vector exploiting vulnerabilities in XSLT processors to execute arbitrary code or access restricted data.
Understanding XSLT Injection
XSLT (Extensible Stylesheet Language Transformations) is used to transform XML data. XSLT Injection occurs when an attacker injects malicious XSLT code into an application that processes XML data, leading to code execution, data leakage, or server-side attacks.
Common Security Risks in XSLT Injection
Server-Side Code Execution
If an application processes user-supplied XSLT, attackers may execute arbitrary code.
File and System Access
XSLT functions like
document()can access external files and leak sensitive data.
Denial-of-Service (DoS) Attacks
Recursive transformations can overload the server, causing performance issues.
Bypassing Access Controls
Injected XSLT may allow unauthorized access to restricted data.
Mitigation and Security Best Practices
Disable Dangerous XSLT Features – Restrict file access functions (
document(),unparsed-text()).Validate and Sanitize Input – Ensure user input does not modify transformation logic.
Use Sandboxing – Run XSLT processing in a restricted execution environment.
Apply Least Privilege – Restrict application permissions to prevent system access.