XPath Injection

Overview

XPath is a protocol for accessing and manipulating XML files. Websites may interact with data stored in XML files via XPath queries. XPath Injection attacks occur when an attacker is able to manipulate the XPath queries carried out by the website. In doing so, the attacker can potentially view, modify and destroy any data stored in the XML files.

What makes a site vulnerable?

XPath Injection is made possible when the website constructs and executes XPath queries which contain poorly validated user input. By being able to insert input into the query, the attacker can potentially modify the structure of the query in such a way as to be able to carry out XPath operations which users were never meant to perform.

Impact of the attack

The attacker can potentially view, modify and destroy any data stored in XPath. Additionally, the attacker may be able to exploit mechanisms, such as login mechanisms, which rely on the information contained in XPath.

Preventing the attack

XPath injection attacks can be prevented by eliminating the use of user input in the construction of XPath queries. Where this is not practical, the attacks can be prevented through proper validation of user input prior to use. If user input does not match a strict format known to be handled correctly by the application then the query should not be executed.