XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This attack is similar to SQL injection, (see IDS07-J. Prevent SQL Injection) wherein an attacker can enter valid SQL constructs into the data fields of the query in use. Typically, the conditional field of the query resolves to a tautology or gives the attacker access to privileged information. This guideline is a specific example of the broadly scoped guideline IDS00-J. Always validate user inputIntroduction to Input Validation and Data Sanitization.
XML Path Injection Example
...
- Treat all user input as untrusted and perform appropriate sanitization.
- When sanitizing user input, verify the correctness of the data type, length, format and the content. For example, use a regular expression that checks for XML tags and special characters in user input. This corresponds to input sanitization. See guideline IDS00-J. Always validate user inputIntroduction to Input Validation and Data Sanitization for additional details.
- In a client-server application, perform validation at both the client and the server side.
- Extensively test applications that supply, propagate, or use user input.
...