JSP XSLT 

Extensible Stylesheet Language Transformations (XSLT) is a transformation language that ingests an XML document and transforms that document into another XML document. If an attacker can control the content of the style sheet, he/she would potentially be able to trigger remote code execution (RCE) or server-side path traversal.

Fixes for JSP XSLT

Take for example a simple XSLT transform,

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:template match="/technology_companies">
	<xsl:value-of select="system-property('xsl:vendor')"/>
  </xsl:template>
</xsl:stylesheet>

In this example the logic injects value matching /technology_companies, this could be a potential area to inject code. If an attacker were to be able to inject directives, they could discover the XSLT library being used and exploit further, e.g. system-property('xsl:vendor')

A general solution if XSLT is required to be used:

  • Avoid interpreting user defined XSLT documents
  • Do not generate XSLT documents and internal fields from inputs that can be controlled by the user, e.g. company name
  • Based upon the XSLT library in use, review the library’s default settings and disable unsafe functionality that could lead to XML External Entities from being executed

Want to check your projects for free?

References

WS-Attack: XML Signature – XSLT Code Execution
ContextIS: XSLT Server Side Injection Attacks
OWASP: Path Traversal