General Information

Remote XSLT Inclusion

Variants:
Direct Persistent Session 

Also Known As:
XSL Remote File Inclusion, XSLT Injection, XSLT Transform Injection

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Input Validation, Syntax Escaping, Hardening, Secure Design

Invented In:
04/03/2005

Added In:
25/12/2014


Vector Operation Method:
Malicious inputs can introduce external remote XSL content or external server code into the application. Remotely processed XSL can result in attackers executing code on the server, gaining access to local files, embedding XSS scripts in the website output, etc.


Direct Variant:

Remote XSL Inclusion

Also Known As:
XSL Remote File Inclusion, XSLT Injection, XSLT Transform Injection

Typical Severity:
Critical

Learn More:




Persistent Variant:

Stored Remote XSL Inclusion

Also Known As:
Persistent Remote XSL Inclusion

Typical Severity:
Critical

Resources:

White Papers:

Learn More:


Session Variant:

Remote XSL Inclusion via Session Puzzling

Variant Title:
Remote XSL Inclusion via Session Puzzling

Typical Severity:
Critical

Resources:

White Papers:

Learn More: