Ask the Expert

What is XPath Injection?

I'm hearing more about XPath Injection these days. What is it?

Requires Free Membership to View

XPath Injection is a new kind of security vulnerability. It is associated with the XPath specification (XML Path Language) and is similar to back-end interpreter injection vulnerabilities (such as SQL Injection and LDAP Injection). An understanding of XPath is needed to understand how XPath Injection works.

XPath is a language used by standards such as XSLT and XQuery to reference specific parts of an XML document. To accomplish its goal, XPath has a number of standard operators to describe XML constructs. By applying logic based on these operators, users of XPath can logically select specific values from a document and perform basic manipulations.

When XPath is used in such a way that an unauthorized user can inject arbitrary data into an XPath expression, then there is a potential for exploitation. Let's look at the following XPath scenario:

XML Document
<user>
   <name>
          John Doe
   </name>
   <password>
          topsecret
   </password>
   <account_number>
          1264436532
   </account_number>
</user>
<user>
  …
</user>
XPath String
//user[name='user name' and password='password']/account_number
Assuming that user name and password come from a potentially malicious user, an Xpath injection could allow someone to submit the following data:

user name:
' OR '1'='1
password:
' OR '1'='1

This would cause the following XPath statement:
//user[name=''  OR '1'='1' and password=''  OR '1'='1']/account_number
This statement would cause the first account number to be returned, without requiring the user to know the user name or password. Obviously, this technique could be used to return any user with a known username's account number. A more devastating XPath injection is possible if an attacker can access different parts of an XML document. In this case, an attacker can access a social security number, or a credit card number rather than an account number. The details of this attack are explained in the "Blind XPath Injections" white paper available at http://www.watchfire.com/resources/blind-xpath-injection.pdf.

To prevent XPath injection and other types of injection attacks, it is important to consistently and properly validate user input so that it conforms to expected criteria.

This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: