XPATH Injection

Risk type:LOW


XPath injection is an attack targeting websites that create XPath queries from user-supplied data. If an application embeds unprotected data into an XPath query, the query can be altered so that it is no longer parsed in the manner originally intended.


Let's consider the following XML code:

<?xml version="1.0" encoding="utf-8"?>
<Employee ID="1">
<Employee ID="2">

Vulnerable web page is using an authentication system that uses this XML data file to login users. Once a username and password have been supplied, the software might use XPath to look up the user (C# programming language):

String FindUserXPath;
FindUserXPath = "//Employee[UserName/text()='" + Request("Username") + "' And Password/text()='" + Request("Password") + "']";

The attacker can forge malicious input without knowing the username or password:

  • Username: anything' or 1=1 or 'a'='a
  • Password: anything

This translates to:

FindUserXPath = "//Employee[UserName/text()='anything' or 1=1 or 'a'='a' And Password/text()='anything']";

Only the first part of the XPath needs to be true. The password part becomes irrelevant, and the username part will match all employees.


  • Escape single and double quotes if your application uses them.
  • Use precompiled XPath.

Further reading: