XPath injection
Description
Dynamic XPath statements are generated without the required data validation.
Impact
Inject queries to obtain sensitive information without authorization.
Recommendation
Perform input data validations on the server-side to avoid common injection attacks.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
โ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: N
- User interaction: N
- Scope: U
- Confidentiality: H
- Integrity: H
- Availability: H
Temporal
- Exploit code madurity: X
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
- Score:
- Base: 9.8
- Temporal: 9.8
- Severity:
- Base: Critical
- Temporal: Critical
Code Examples
Compliant code
using System;
using System.Xml.XPath;
public partial class WebForm : System.Web.UI.Page{
protected void Page_Load(){
string operation = Request.Form["operation"];
XPathNavigator AuthorizedOperations = new XPathNavigator();
// Must report
XPathNavigator node = AuthorizedOperations.SelectSingleNode(operation);
}
}
Non compliant code
public void bad() throws Throwable{
String data = "";
/* Code not shown: Read data using an outbound tcp connection */
if (data != null){
/* assume username||password as source */
String [] tokens = data.split("||");
if (tokens.length < 2){
return;
}
String username = tokens[0];
String password = tokens[1];
/* build xpath */
XPath xPath = XPathFactory.newInstance().newXPath();
InputSource inputXml = new InputSource(xmlFile);
/* INCIDENTAL: CWE180 Incorrect Behavior Order: Validate Before Canonicalize
* The user input should be canonicalized before validation. */
/* POTENTIAL FLAW: user input is used without validating */
String query = "//users/user[name/text()='" + username +
"' and pass/text()='" + password + "']" +
"/secret/text()";
String secret = (String)xPath.evaluate(query, inputXml, XPathConstants.STRING);
}
}