1

xpath injection is an attack targeting the websites, where xpath queries are built from user supplied data.Here, Attacker can get the entire xml document without the complete knowledge.
How exactly the attack takes place?
How can we implement this attack?

Thank you

preeti
  • 113
  • 1
  • 8

1 Answers1

3

see: http://www.ethicalhacker.net/content/view/185/24/

All injection attacks (including html/javascript injection, sql injection, hql injection) pretty much follow the same principles - basically anywhere you are concatenating user input to a command text, you have the potential for an injection attack.

Besides validating the input as mentioned in the above article, another approach (which might be preferred since it safely allows the use of any characters) would be to encode any user input before using it in an xpath.

Update: At least some Xpath libraries provide for declaring variables to allow safely evaluating user provided input for the xpath expression.

See:

Community
  • 1
  • 1
Nathan
  • 10,593
  • 10
  • 63
  • 87
  • So it's just SQL injection only for xpath, and its just because of a lack of 'prepared statements' for xpath queries? – Will Feb 04 '10 at 20:04
  • @Will: essentially, yes. Edited answer to give a bit more detail. – Nathan Feb 04 '10 at 20:12
  • when I read the article, and it said "whitelist allowed characters" I could cry. That didn't get the SQL world very far. Where's the prepared statements approach for xpath? That's enough of a reason not to use xpath. – Will Feb 04 '10 at 20:40
  • @Will: You don't have prepared statement type of stuff for html or javascript either -- that's why they have encoding capabilities. I'm not sure precisely which encoding would be used for xpath - perhaps XML attribute encoding? At any rate, I generally prefer an encoding approach in these type of situations over a whitelisting (or even worse, blacklisting) approach. – Nathan Feb 04 '10 at 21:20
  • but then the xml itself needs to be encoded, right? Only that kind of assumes you control it. If you controlled it, you'd not use XML though... – Will Feb 04 '10 at 21:23