XPath is a language used by standards such as XSLT and XQuery to reference specific parts of an XML document. To accomplish its goal, XPath has a number of standard operators to describe XML constructs. By applying logic based on these operators, users of XPath can logically select specific values from a document and perform basic manipulations.
When XPath is used in such a way that an unauthorized user can inject arbitrary data into an XPath expression, then there is a potential for exploitation. Let's look at the following XPath scenario:
<user> <name> John Doe </name> <password> topsecret </password> <account_number> 1264436532 </account_number> </user> <user> … </user>XPath String
//user[name='user name' and password='password']/account_numberAssuming that user name and password come from a potentially malicious user, an Xpath injection could allow someone to submit the following data:
' OR '1'='1
' OR '1'='1
This would cause the following XPath statement:
//user[name='' OR '1'='1' and password='' OR '1'='1']/account_numberThis statement would cause the first account number to be returned, without requiring the user to know the user name or password. Obviously, this technique could be used to return any user with a known username's account number. A more devastating XPath injection is possible if an attacker can access different parts of an XML document. In this case, an attacker can access a social security number, or a credit card number rather than an account number. The details of this attack are explained in the "Blind XPath Injections" white paper available at http://www.watchfire.com/resources/blind-xpath-injection.pdf.
To prevent XPath injection and other types of injection attacks, it is important to consistently and properly validate user input so that it conforms to expected criteria.
This was first published in January 2006