The Extensible Markup Language (XML) is a markup language for describing information in documents in a structured way. XML is human readable, which makes it desirable from a development and integration point of view. What makes XML structured is that documents contain both content and metadata that describes that content.
Almost all documents have some structure, so XML is a great way of standardizing that structure into one common format. In web applications, XML is the preferred data exchange format and serves as the foundation of many web protocols and data interchange formats.
XML does not, by itself, have any security features. The following are examples where the use of XML can lead to vulnerabilities.
All information from web requests (or request made outside your network) that are not validated before being used in a web application should be considered tainted. This includes XML. Attackers can exploit vulnerabilities and use these flaws to attack backend components through a web application.
If XML data is accepted as input to a web application it is possible for an attacker to alter the values embedded in the XML to attack the system.
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE greeting [ <!ELEMENT greeting (#PCDATA)> ]> <greeting><script>alert('Gotcha!');</script></greeting>
As with all input data, XML data should also be validated before it used. This is particularly true when the XML is being used in the browser, as in the case of Ajax.