Link Search Menu Expand Document
×
Topics

XPath Injection

Play SecureFlag Play Labs on this vulnerability with SecureFlag!

  1. XPath Injection
    1. Description
    2. Impact
    3. Scenarios
    4. Prevention
    5. Testing
    6. References

Description

XPath (XML Path Language) is a query language used to navigate and select nodes from XML documents. It provides multiple functions and allows selecting elements based on their hierarchy, names, or values.

XPath Injection, similar to SQL Injection, occurs when user-controlled data is directly incorporated into XPath expressions without proper escaping or sanitization.

Impact

A successful XPath Injection attack can allow a malicious user to gain unauthorized access to data in an XML document, potentially exposing sensitive information or interfering with application logic.

Subverting application logic through XPath Injection can lead to unpredictable outcomes, depending on the context of the XPath statement and the attacker’s strategy.

We call it blind XPath Injection when the injection succeeds but the application does not return the results of the manipulated query to the attacker. Blind injections are still exploitable, as attackers can infer data using timing analysis or content-based responses.

Scenarios

The following is a classic example of subverting application logic to bypass access controls, using the ubiquitous username and password authentication mechanism. Consider the XML document below:

<users>
  <user>
    <username>user</username>
    <password>secret</password>
  </user>
  <user>
    <username>admin</username>
    <password>S3cr3tPassw0rd</password>
  </user>
</users>

In a benign scenario, a user submits the username user and the password secret. The application then performs an XPath query to verify the credentials:

//user[username='user' and password='secret']

In XPath syntax, the part inside the brackets is called the predicate, and it acts similarly to a WHERE clause in SQL.

The login is successful if the query returns the user node; otherwise, it is rejected. By injecting a condition that always evaluates to true, the password check can be bypassed.

The following example illustrates this in action. By entering admin' or '1'='1 in the username field and any value in the password field, the resulting XPath expression becomes:

//user[username='admin' or '1'='1' and password='anything']

Due to operator precedence (and is evaluated before or), this results in the following query:

//user[(username='admin') or (true and password='anything')]

Depending on the implementation, this may result in successful authentication without requiring valid credentials.

Prevention

Where supported by the library or framework, use parameterized or precompiled XPath expressions. Otherwise, ensure strict input validation and proper escaping.

Testing

Verify that, where parameterized expressions or safer mechanisms are not used, proper context-specific escaping is applied to user input. This includes correctly escaping quotes and other special characters to prevent XPath Injection.

References

CWE - CWE-643: Improper Neutralization of Data within XPath Expressions

OWASP - XPath Injection

OWASP Testing Guide - Testing for XPath Injection

Table of contents