XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This attack is similar to SQL injection (see VOID IDS07-J. Prevent SQL Injection) wherein an attacker can enter valid SQL constructs in the data fields of the query in use. Typically, the conditional field of the query resolves to a tautology or gives the attacker access to privileged information. This guideline is a specific example of the broadly scoped guideline void Filter data that passes through a trust boundary.
...
Because the '1'='1' is automatically true, the password is never validated. Consequently, the attacker is falsely logged in as user Utah without having to know the password.
To comply with guideline MSC05-J. Store passwords using a hash function, the passwords would have to be encrypted. Unfortunately, on many small systems, they are not, so the password text added in the query string would match precisely what the user enters. An attacker could supply a password such as:
...
- Treat all user input as untrusted and perform appropriate sanitization.
- When sanitizing user input, verify the correctness of the data type, length, format, and content. For example, use a regular expression that checks for XML tags and special characters in user input. This corresponds to input sanitization. See guideline void Filter data that passes through a trust boundary for additional details.
- In a client-server application, perform validation at both the client and the server side.
- Extensively test applications that supply, propagate, or use user input.
...