CWE-643

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Base

Incomplete

Description

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

Parent Weaknesses (ChildOf)

CWE-91: XML Injection (aka Blind XPath...

CWE-943: Improper Neutralization of Spe...

Common Consequences

Scope

Access Control

Impact

Bypass Protection Mechanism

Scope

Confidentiality

Impact

Read Application Data

Potential Mitigations

Implementation

Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.

Implementation

Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now