The only way I can think to get an XQuery Injection is via an xdmp:eval() call with a poorly done string concatenation being passed in instead of the correct use of parameters, so if you're worried, make sure you're not running as admin and the running user doesn't have rights to execute that function. Problem solved.
Unless you're writing a tool like QC you probably don't need that function. You can use xdmp:invoke() instead, where there's no risk of injection. -jh- On Jun 13, 2013, at 12:23 PM, Danny Sinang <[email protected]> wrote: > Hi, > > Besides Fortify, is there a tool out there that checks for XQuery Injection > vulnerability ? > > Regards, > Danny > > > _______________________________________________ > General mailing list > [email protected] > http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
