Remote XSLT Inclusion
Variants:
Direct Persistent Session
Also Known As:
XSL Remote File Inclusion, XSLT Injection, XSLT Transform Injection
Vector Type:
Attack
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Input Validation, Syntax Escaping, Hardening, Secure Design
Invented In:
04/03/2005
Added In:
25/12/2014
Vector Operation Method:
Malicious inputs can introduce external remote XSL content or external server code into the application. Remotely processed XSL can result in attackers executing code on the server, gaining access to local files, embedding XSS scripts in the website output, etc.