XPath Injection

Example 1: Java

Vulnerable Code:

Reason for vulnerability: User input is directly used in the XPath expression, allowing XPath injection.

Fixed Code:

Reason for fix: Use parameterized XPath expressions to prevent injection.

Example 2: Python

Vulnerable Code:

Reason for vulnerability: User input is directly used in the XPath expression, allowing XPath injection.

Fixed Code:

Reason for fix: Use parameterized XPath expressions to prevent injection.

Java Example

Vulnerable Code:

Reason for Vulnerability:

This code directly incorporates user input into an XPath expression, allowing injection of malicious XPath.

Fixed Code:

Reason for Fix:

The fixed code uses XPath parameter binding to separate the query from user input, preventing XPath injection.

PHP Example

Vulnerable Code:

Reason for Vulnerability:

This code directly incorporates user input into an XPath query, allowing injection of malicious XPath.

Fixed Code:

Reason for Fix:

The fixed code uses parameterized queries to separate the XPath query from user input.

C# Example

Vulnerable Code:

Reason for Vulnerability:

This code directly incorporates user input into an XPath query, allowing injection of malicious XPath.

Fixed Code:

Reason for Fix:

The fixed code uses parameterized XPath queries to separate the query from user input.

PreviousInsecure Deserialization NextLDAP Injection

Last updated 3 months ago

javaCopyimport javax.xml.xpath.*; import org.w3c.dom.*; public class UserLookup { public String findUser(String username, String password) throws Exception { String xpathExpr = "//user[username='" + username + "' and password='" + password + "']/role/text()"; XPathFactory xpathFactory = XPathFactory.newInstance(); XPath xpath = xpathFactory.newXPath(); return (String) xpath.evaluate(xpathExpr, xmlDocument, XPathConstants.STRING); } }

javaCopyimport javax.xml.xpath.*; import org.w3c.dom.*; public class UserLookup { public String findUser(String username, String password) throws Exception { String xpathExpr = "//user[username=$username and password=$password]/role/text()"; XPathFactory xpathFactory = XPathFactory.newInstance(); XPath xpath = xpathFactory.newXPath(); SimpleBindings bindings = new SimpleBindings(); bindings.put("username", username); bindings.put("password", password); return (String) xpath.evaluate(xpathExpr, xmlDocument, XPathConstants.STRING, bindings); } }

csharpCopyusing System.Xml.XPath; public string GetUserRole(string username, string password) { XPathNavigator nav = xmlDoc.CreateNavigator(); string query = $"string(//user[username='{username}' and password='{password}']/role)"; return nav.Evaluate(query).ToString(); }

csharpCopyusing System.Xml.XPath; public string GetUserRole(string username, string password) { XPathNavigator nav = xmlDoc.CreateNavigator(); XPathExpression expr = nav.Compile("string(//user[username=@u and password=@p]/role)"); expr.SetContext(new XPathContext { {"u", username}, {"p", password} }); return nav.Evaluate(expr).ToString(); }