CWE

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

ID: 643		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Base

Description

The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

Extended Description

The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

Enabling Factors for Exploitation
XPath queries are constructed dynamically using user supplied input

Likelihood of Exploit: High

Applicable Platforms
Language Class: All

Time Of Introduction

• Implementation

Common Consequences

Scope	Technical Impact	Notes
Access_Control	Bypass protection mechanism	Controlling application flow (e.g. bypassing authentication).
Confidentiality	Read application data	The attacker could read restricted XML content.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Implementation		Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.
Implementation		Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.

Relationships
This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.

Related CWE	Type	View	Chain
CWE-643 ChildOf CWE-896	Category	CWE-888

Demonstrative Examples   (Details)

1. Consider the following simple XML document that stores authentication information and a snippet of Java code that uses XPath query to retrieve authentication information:

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
WASC	39	XPath Injection

References:

1. Web Application Security Consortium .XPath Injection.
2. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 17, "XPath Injection", Page 1070.'. Published on 2006.