XPath injection

Description

Dynamic XPath statements are generated without the required data validation.

Impact

Inject queries to obtain sensitive information without authorization.

Recommendation

Perform input data validations on the server-side to avoid common injection attacks.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

Attack vector: N
Attack complexity: L
Privileges required: N
User interaction: N
Scope: U
Confidentiality: H
Integrity: H
Availability: H

Temporal

Exploit code madurity: X
Remediation level: X
Report confidence: X

Result

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Score:
- Base: 9.8
- Temporal: 9.8
Severity:
- Base: Critical
- Temporal: Critical

Code Examples

Compliant code

using System;
using System.Xml.XPath;
public partial class WebForm : System.Web.UI.Page{
  protected void Page_Load(){
    string operation = Request.Form["operation"];
    XPathNavigator AuthorizedOperations  = new XPathNavigator();
    // Must report
    XPathNavigator node = AuthorizedOperations.SelectSingleNode(operation);
  }
}

Non compliant code

public void bad() throws Throwable{
  String data = "";
  /* Code not shown: Read data using an outbound tcp connection */

  if (data != null){
    /* assume username||password as source */
    String [] tokens = data.split("||");
    if (tokens.length < 2){
      return;
    }
    String username = tokens[0];
    String password = tokens[1];
    /* build xpath */
    XPath xPath = XPathFactory.newInstance().newXPath();
    InputSource inputXml = new InputSource(xmlFile);
    /* INCIDENTAL: CWE180 Incorrect Behavior Order: Validate Before Canonicalize
    *     The user input should be canonicalized before validation. */
    /* POTENTIAL FLAW: user input is used without validating */
    String query = "//users/user[name/text()='" + username +
                  "' and pass/text()='" + password + "']" +
                  "/secret/text()";
    String secret = (String)xPath.evaluate(query, inputXml, XPathConstants.STRING);
  }
}

Requirements

173. Discard unsafe inputs

Description​

Impact​

Recommendation​

Threat​

Expected Remediation Time​

Score​

Base​

Temporal​

Result​

Code Examples​

Compliant code​

Non compliant code​

Requirements​