XPath Injection

ID

java.xpath_injection

Severity

high

Resource

Injection

Language

Java

Tags

CWE:643, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1

Description

Improper neutralization of data within XPath expressions ('XPath Injection').

XPath is a query language used to select nodes from XML documents. Similar to SQL injection, XPath Injection involves manipulating the structure of queries using user-supplied input. When the software fails to sanitize input properly, attackers can insert malicious characters or expressions that alter the intended query, potentially exposing sensitive information or allowing access to unauthorized data.

Rationale

If the software uses untrusted input to dynamically construct the XPath expression used to retrieve data from an XML source, but it does not neutralize or incorrectly neutralizes that input, it is vulnerable to XPath Injection. This allows an attacker to control the semantics of the query.

The attacker will have control over the information selected from the XML database and can control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

Consider the following Java code example demonstrating a potential XPath Injection vulnerability:

import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.StringReader;

public class XPathInjectionExample {
    public String getUserInfo(String username) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document doc = builder.parse(new InputSource(new StringReader(loadXML())));

        XPath xpath = XPathFactory.newInstance().newXPath();
        // Vulnerable to XPath Injection
        String expression = "/users/user[username/text()='" + username + "']/info/text()";
        return xpath.evaluate(expression, doc);
    }

    private String loadXML() {
        // Simulate loading of an XML string
        return "<users><user><username>user1</username><info>info1</info></user></users>";
    }
}

In this example, username is included directly in the XPath expression without any sanitization. An attacker could manipulate the input to inject additional XPath logic, resulting in unauthorized access to XML data.

Remediation

To protect applications from XPath Injection vulnerabilities, apply the following remediation strategies:

  • Input validation and canonicalization: Rigorously validate and canonicalize all user inputs before using them in XPath expressions to reduce the risk of injection attacks.

  • Parameterized XPath queries: Utilize libraries or techniques that support parameterized XPath queries where possible. Although not as widely available as parameterized SQL queries, parameterization helps isolate user inputs from query logic.

  • Escaping user input: Properly escape special characters in user inputs that are used within XPath expressions to prevent them from altering the query. For example, replacing ' (quote) with &apos;, its encoded version. Please note that escaping alone is not recommended and should be used in conjunction with other measures.

import org.apache.commons.lang3.StringEscapeUtils; // Assuming usage of commons-text library

public class SecureXPathExample {

    public String getUserInfo(String username) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document doc = builder.parse(new InputSource(new StringReader(loadXML())));

        XPath xpath = XPathFactory.newInstance().newXPath();
        // Secure by escaping user input
        String safeUsername = StringEscapeUtils.escapeXml10(username);
        String expression = "/users/user[username/text()='" + safeUsername + "']/info/text()";
        return xpath.evaluate(expression, doc);
    }

    private String loadXML() {
        // Simulate loading of an XML string
        return "<users><user><username>user1</username><info>info1</info></user></users>";
    }
}

  • Security Libraries and Frameworks: Leverage security libraries and frameworks that offer pre-built defenses against various types of injection attacks, including XPath Injection.

By carefully validating, escaping, and managing input data, Java applications can effectively mitigate the risks associated with XPath Injection, ensuring secure and reliable data access within XML documents.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

  • CWE-643 : Improper Neutralization of Data within XPath Expressions ('XPath Injection').

  • OWASP Top 10 2021 - A03 : Injection.

  • SEI CERT IDS53-J - Prevent XPath Injection.