...
[Prevention of XPath injection] requires the following characters to be removed (that is, prohibited) or properly escaped:
< > / ' = "to prevent straight parameter injection.- XPath queries should not contain any meta characters (such as
' = * ? //or similar).- XSLT expansions should not contain any user input, or if they do, [you should] comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
| Parasoft Jtest |
| CERT.IDS53.TDJXPATH CERT.IDS53.TDXPATH | Protect against JXPath injection Protect against XPath injection |
Bibliography
| [Fortify 2008] | "Input Validation and Representation: XML Injection" |
| [Oracle 2011b] | Ensure Data Security |
| [OWASP 2014] | Testing for XPath Injection |
| [Sen 2007] | Avoid the Dangers of XPath Injection |
| [Sun 2006] | Ensure Data Security |
...
...