Skip to main content

XPath injection

Description

Dynamic XPath statements are generated without the required data validation.

Impact

Inject queries to obtain sensitive information without authorization.

Recommendation

Perform input data validations on the server-side to avoid common injection attacks.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

โŒš 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: H
  • Integrity: H
  • Availability: H

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
  • Score:
    • Base: 9.8
    • Temporal: 9.8
  • Severity:
    • Base: Critical
    • Temporal: Critical

Code Examples

Compliant code

using System;
using System.Xml.XPath;
public partial class WebForm : System.Web.UI.Page{
protected void Page_Load(){
string operation = Request.Form["operation"];
XPathNavigator AuthorizedOperations = new XPathNavigator();
// Must report
XPathNavigator node = AuthorizedOperations.SelectSingleNode(operation);
}
}

Non compliant code

public void bad() throws Throwable{
String data = "";
/* Code not shown: Read data using an outbound tcp connection */

if (data != null){
/* assume username||password as source */
String [] tokens = data.split("||");
if (tokens.length < 2){
return;
}
String username = tokens[0];
String password = tokens[1];
/* build xpath */
XPath xPath = XPathFactory.newInstance().newXPath();
InputSource inputXml = new InputSource(xmlFile);
/* INCIDENTAL: CWE180 Incorrect Behavior Order: Validate Before Canonicalize
* The user input should be canonicalized before validation. */
/* POTENTIAL FLAW: user input is used without validating */
String query = "//users/user[name/text()='" + username +
"' and pass/text()='" + password + "']" +
"/secret/text()";
String secret = (String)xPath.evaluate(query, inputXml, XPathConstants.STRING);
}
}

Requirements