XPath injection is an attack targeting websites that create XPath queries from user-supplied data. If an application embeds unprotected data into an XPath query, the query can be altered so that it is no longer parsed in the manner originally intended.
Let's consider the following XML code:
Vulnerable web page is using an authentication system that uses this XML data file to login users. Once a username and password have been supplied, the software might use XPath to look up the user (C# programming language):
The attacker can forge malicious input without knowing the username or password:
- Username: anything' or 1=1 or 'a'='a
- Password: anything
This translates to:
Only the first part of the XPath needs to be true. The password part becomes irrelevant, and the username part will match all employees.
- Escape single and double quotes if your application uses them.
- Use precompiled XPath.