C Sharp Xaml Reader Load
Description
Detects potential XAML injection vulnerabilities in C# applications where untrusted input is passed to XamlReader.Load() methods. This can allow attackers to inject malicious XAML code that gets parsed and executed, potentially leading to arbitrary code execution.
Detection Strategy
• Identifies calls to XamlReader.Load() methods including variations like System.Windows.Markup.XamlReader.Load
• Checks if the argument passed to Load() method contains or is derived from user-controlled input
• Reports a vulnerability when untrusted/user-controlled data flows into XamlReader.Load() without proper validation or sanitization
Vulnerable code example
using System;
using System.IO;
using System.Web;
public class VulnerableXaml
{
public void ProcessInput(HttpRequest request)
{...✅ Secure code example
using System;
using System.IO;
using System.Web;
using System.Xml;
using System.Text.RegularExpressions;
public class SecureXaml
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.