Failure to Sanitize Data within XPath Expressions ('XPath injection') |
Weakness ID: 643 (Weakness Base) | Status: Incomplete |
Description Summary
Extended Description
The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).
Scope | Effect |
---|---|
Integrity | Controlling application flow (e.g. bypassing authentication) |
Confidentiality | Information disclosure |
XPath queries are constructed dynamically using user supplied input |
The application does not perform sufficient validation or sanitization of user supplied input |
Example 1
Consider the following simple XML document that stores authentication information and a snippet of Java code that uses XPath query to retrieve authentication information:
The Java code used to retrieve the home directory based on the provided credentials is:
Assume that user "john" wishes to leverage XPath Injection and login without a valid password. By providing a username "john" and password "' or ''='" the XPath expression now becomes
which, of course, lets user "john" login without a valid password, thus bypassing authentication.
Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane. |
Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 91 | XML Injection (aka Blind XPath Injection) | Development Concepts (primary)699 Research Concepts (primary)1000 |
This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database. |
Web Application Security Consortium. "XPath Injection". <http://www.webappsec.org/projects/threat/classes/xpath_injection.shtml>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
2008-01-30 | Evgeny Lebanidze | Cigital | External Submission | |
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description, Name, References, Relationship Notes | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Common Consequences | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-10-14 | Unsafe Treatment of XPath Input | |||
2009-05-27 | Failure to Sanitize Data within XPath Expressions (aka 'XPath injection') | |||