Problem solve Get help with specific problems with your technologies, process and projects.

What is XPath Injection?

What is XPath Injection? Web services security expert Alex Smolen explains and advises how to protect against it.

I'm hearing more about XPath Injection these days. What is it?
XPath Injection is a new kind of security vulnerability. It is associated with the XPath specification (XML Path Language) and is similar to back-end interpreter injection vulnerabilities (such as SQL Injection and LDAP Injection). An understanding of XPath is needed to understand how XPath Injection works.

XPath is a language used by standards such as XSLT and XQuery to reference specific parts of an XML document. To accomplish its goal, XPath has a number of standard operators to describe XML constructs. By applying logic based on these operators, users of XPath can logically select specific values from a document and perform basic manipulations.

When XPath is used in such a way that an unauthorized user can inject arbitrary data into an XPath expression, then there is a potential for exploitation. Let's look at the following XPath scenario:

XML Document
          John Doe
XPath String
//user[name='user name' and password='password']/account_number
Assuming that user name and password come from a potentially malicious user, an Xpath injection could allow someone to submit the following data:

user name:
' OR '1'='1
' OR '1'='1

This would cause the following XPath statement:
//user[name=''  OR '1'='1' and password=''  OR '1'='1']/account_number
This statement would cause the first account number to be returned, without requiring the user to know the user name or password. Obviously, this technique could be used to return any user with a known username's account number. A more devastating XPath injection is possible if an attacker can access different parts of an XML document. In this case, an attacker can access a social security number, or a credit card number rather than an account number. The details of this attack are explained in the "Blind XPath Injections" white paper available at http://www.watchfire.com/resources/blind-xpath-injection.pdf.

To prevent XPath injection and other types of injection attacks, it is important to consistently and properly validate user input so that it conforms to expected criteria.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.