I'm hearing more about XPath Injection these days. What is it?
Requires Free Membership to View
When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.
Hannah Smalltree, Editorial Director
XPath Injection is a new kind of security vulnerability. It is associated with the XPath specification (XML Path Language) and is similar to back-end interpreter injection vulnerabilities (such as SQL Injection and LDAP Injection). An understanding of XPath is needed to understand how XPath Injection works.
XPath is a language used by standards such as XSLT and XQuery to reference specific parts of an XML document. To accomplish its goal, XPath has a number of standard operators to describe XML constructs. By applying logic based on these operators, users of XPath can logically select specific values from a document and perform basic manipulations.
When XPath is used in such a way that an unauthorized user can inject arbitrary data into an XPath expression, then there is a potential for exploitation. Let's look at the following XPath scenario:
XML Document
user name:
' OR '1'='1
password:
' OR '1'='1
This would cause the following XPath statement:
To prevent XPath injection and other types of injection attacks, it is important to consistently and properly validate user input so that it conforms to expected criteria.
XPath is a language used by standards such as XSLT and XQuery to reference specific parts of an XML document. To accomplish its goal, XPath has a number of standard operators to describe XML constructs. By applying logic based on these operators, users of XPath can logically select specific values from a document and perform basic manipulations.
When XPath is used in such a way that an unauthorized user can inject arbitrary data into an XPath expression, then there is a potential for exploitation. Let's look at the following XPath scenario:
XML Document
<user>
<name>
John Doe
</name>
<password>
topsecret
</password>
<account_number>
1264436532
</account_number>
</user>
<user>
…
</user>
XPath String
//user[name='user name' and password='password']/account_numberAssuming that user name and password come from a potentially malicious user, an Xpath injection could allow someone to submit the following data:
user name:
' OR '1'='1
password:
' OR '1'='1
This would cause the following XPath statement:
//user[name='' OR '1'='1' and password='' OR '1'='1']/account_numberThis statement would cause the first account number to be returned, without requiring the user to know the user name or password. Obviously, this technique could be used to return any user with a known username's account number. A more devastating XPath injection is possible if an attacker can access different parts of an XML document. In this case, an attacker can access a social security number, or a credit card number rather than an account number. The details of this attack are explained in the "Blind XPath Injections" white paper available at http://www.watchfire.com/resources/blind-xpath-injection.pdf.
To prevent XPath injection and other types of injection attacks, it is important to consistently and properly validate user input so that it conforms to expected criteria.
This was first published in January 2006