Extensible markup language Markup Language (XML) can be used for data storage in a manner similar to a relational database. Data is frequently retrieved from such an XML document using XPaths. XPath injection can occur when data supplied to an XPath retrieval routine to retrieve data from an XML document is used without proper sanitization. This attack is similar to SQL injection or XML injection (see the appropriate parts of IDS00-J. Sanitize untrusted data passed across a trust boundary) whereby an attacker can enter valid SQL or XML constructs in the data fields of the query in use. In typical attacks, the conditional field of the query resolves to a tautology or otherwise gives the attacker access to privileged information.
...
If an attacker knows that Utah is a valid user name, they he or she can specify an input such as the following:
...
This noncompliant code example reads a user name and password from the user and uses them to construct the query string. The password is passed as a char array , and then hashed. This example is vulnerable to the attack described earlier. If the attack string described earlier is passed to evaluate(), the method call returns the corresponding node in the XML file. This causes , causing the doLogin() method to return true and bypass any authorization.
...
[Prevention of XPath injection] requires the following characters to be removed (ie, prohibited) or properly escaped:
< > / ' = "to prevent straight parameter injection- XPath queries should not contain any meta characters (such as
' = * ? //or similar)- XSLT expansions should not contain any user input, or if they do, [you should] comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy
Related Guidelines
...
Bibliography
| [Fortify 2008] | "Input Validation and Representation: XML Injection" |
| [OWASP 2005] | Testing for XPath Injection |
| [Sen 2007] | Avoid the Dangers of XPath Injection |
| [Sun 2006] | Ensure Data Security |
...