Input Validation / Xpath Injection
Description XPath injection is a type of injection attack that targets applications that use web-based XML data sources. It occurs when an application uses untrusted user input to construct an XPath query for XML data. If the application does not properly sanitize input, an attacker can execute XPath queries to view, add, modify, or delete data from the XML data source. XPath injection is classified as a type of input validation vulnerability, according to the Common Weakness Enumeration (CWE) directory. It can be used to gain access to data that is normally restricted. The OWASP Testing Guide provides more information about XPath injection and how to test for it.
Risk XPath injection carries a high risk for organizations. If an attacker can inject malicious XPath into an application, they can access and manipulate data from the XML data source. This could lead to data leakage, data deletion, or unauthorized access to sensitive information. It could also be used to launch further attacks, such as an SQL injection attack. Organizations should take steps to prevent XPath injection in applications that use XML data sources.
Solution Organizations should use input validation to prevent XPath injection attacks. User input should be sanitized before it is used to construct an XPath query. Input validation should be applied to both data fields and query parameters. Additionally, organizations should use parameterized queries instead of dynamic queries whenever possible. This will help ensure that malicious user input is not used to construct an XPath query.
Example The following code example shows an XPath injection vulnerability.
String query = "//book[title='" + request.getParameter("title") + "']"; XPath xpath = XPathFactory.newInstance().newXPath(); NodeList nodes = (NodeList) xpath.evaluate(query, doc, XPathConstants.NODESET);
In the code example, the user input is not being sanitized before it is used to construct the XPath query. An attacker can inject malicious XPath into the query, which could lead to data leakage or manipulation.