XPath Injection
Description
XPath injection is a vulnerability that can allow an adversary to inject or modify how an XML query is structured. Depending on the logic of the original query, this could lead to adversaries extracting unauthorized information or in rare cases bypassing authorization checks.
Examples
Insecure Code
c#
($TY $VAR).$FUNC(<...$ARG...>,...)Secure Code
c#
XDocument doc = XDocument.Load("users.xml");
XNamespace ns = "urn:users-schema";
string userInput = "LastName";
// Get all the users.
var user = doc.Descendants(ns + "user")
.Select(u => new {
FirstName = (string)u.Element(ns + "first-name"),
LastName = (string)u.Element(ns + "last-name")
}).Where(u => u.LastName == userInput).FirstOrDefault();Remediation
Use LINQ to XML instead of XPath for querying XML documents and avoid calling LINQ functions with user input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0452 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-643 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XPath Injection, XML Security |
| OWASP | A1:2017-Injection, A03:2021-Injection |