Client Side Vulnerabilities / Client-Side Xpath Injection (DOM-Based)

Web and API


Client-side XPath injection (DOM-based) is a type of security vulnerability which is classified under Client Side Vulnerabilities as per the Common Weakness Enumeration (CWE), and occurs in web and API applications. This is a type of injection attack where an attacker injects malicious XPath statements into a client's web page, allowing them to gain control over the page's Document Object Model (DOM). It is similar to other injection attacks such as SQL Injection and Cross-Site Scripting (XSS) in terms of the type of attack, but is different in that the malicious code is not executed on the server side. Instead, the code is executed on the client side, allowing the attacker to gain control of the DOM and access data from the application. As per the OWASP Testing Guide, this vulnerability can be mitigated by data validation and input sanitization on the client side.


Client-side XPath injection (DOM-based) is a serious security vulnerability as it can be used to gain access to sensitive data from the application, or even to gain control of the application itself. This can lead to a variety of malicious activities, including data theft, unauthorized access to the application, and the ability to manipulate the application for malicious purposes. This vulnerability is particularly dangerous as it occurs on the client side, meaning that the malicious code is not executed on the server side, but rather on the client side.


A variety of techniques can be used to mitigate the risk of client-side XPath injection (DOM-based), including data validation, input sanitization, and proper authorization and authentication. Data validation can be used to ensure that data entered by the user is valid, while input sanitization can be used to remove any malicious code from the input before it is processed. Additionally, proper authorization and authentication can be used to ensure that only authorized users have access to the application.


As an example, consider the following code which is vulnerable to client-side XPath injection (DOM-based):

var xpath = "//*[@id='" + user_input + "']";
var element = document.evaluate(xpath, document, null, XPathResult.FIRST_ORDERED_NODE_TYPE, null);

In this example, the user input is concatenated with an XPath statement and evaluated on the client side. This allows an attacker to inject malicious XPath statements into the application and gain control of the DOM.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.