XPath Injection

When sensitive data is stored in XML rather than an SQL database, Attackers can use XPath injection to do anything from circumventing authentication to reading and writing data on the remote system.

XML documents are getting so complex that they are no longer human readable—which was one of the original advantages of XML. To sort through complex XML documents, developers created the XPath language. XPath is a query language for XML documents, much like SQL is a query language for databases. Like SQL, XPath also has injection issues.

Consider the following XML document identifying IDs, usernames, and passwords for a web application:

<?xml version="1.0" encoding="ISO-8859-1"?>
<users>
  <user>
    <id> 1 </id>
    <username> admin </username>
    <password> xpathr00lz </password>
  </user>
  <user>
    <id> 2 </id>
    <username> testuser </username>
    <password> test123 </password>
  </user>
  <user>
    <id> 3 </id>
    <username> lonelyhacker15 </username>
    <password> mypassword </password>
  </user>
</users>

A developer could perform an authentication routine with the following Java code:

String username = req.getParameter("username");
String password = req.getParameter("password");

XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
File file = new File("/usr/webappdata/users.xml");
InputSource src = new InputSource(new FileInputStream(file));

XPathExpression expr = xpath.compile("//users[username/text()=' " +
    username + " ' and password/text()=' "+ password +" ']/id/text()");

String id = expr.evaluate(src);

This code loads up the XML document and queries for the ID associated with the provided username and password. Assuming the username was admin and the password was xpathr00lz, the XPath query would be this:

//users[username/text()='admin' and password/text()='xpathr00lz']/id/
text()

Notice that the user input is not escaped in the Java code, so an attacker can place any data or XPath instructions in this XPath query, such as setting the password to’ or ‘1’=‘1; the query would then be this:

//users[username/text()='admin' and password/text()='' or '1'='1' ]/id/
text()

This query would find the ID where the username is admin and the password is either null (which is high unlikely) or 1=1 (which is always true). Thus, injecting ' or '1'='1 returns the ID for the administrator without the attacker knowing the administrator’s password.

Note that XPath is a subset of a larger XML querying language called XQuery. Like XPath and SQL, XQuery possess identical injection problems. With a little knowledge of XQuery syntax and after reading this chapter, you should have sufficient knowledge to be able to test for XQuery injections, too.

Countermeasure Preventing XPath Injection

The process for fixing XPath injection is nearly identical to that for fixing SQL injections. Namely, constrain data types and escape strings. In this case, you must escape with HTML entity encodings. For example, an apostrophe is escaped to '. As noted earlier, use the appropriate escape routine accompanying the XPath library you are using, as XPath implementations differ.