XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This attack is similar to SQL injection, (see IDS07-J. Prevent SQL Injection) wherein an attacker can enter valid SQL constructs into the data fields of the query in use. Typically, the conditional field of the query resolves to a tautology or gives the attacker access to privileged information. This guideline is a specific example of the broadly scoped guideline IDS00-J. Always validate user input.
XML Path Injection Example
Consider the following XML schema.
Untrusted code may attempt to retrieve user details from this file with an XPath statement constructed dynamically from user input.
If an attacker knows that
Utah is a valid login ID, they can specify an input login ID such as:
This would yield the following query string:
'1'='1' is automatically true, the password is never validated. Consequently the attacker is falsely logged in as user
Utah, without having to know the password.
In order to comply with guideline MSC18-J Store passwords using a hash function, the passwords would have to be encrypted. Unfortunately, on many small systems, they are not, and so the password text added in the query string would match precisely what the user enters. An attacker could supply a password such as:
This would yield the following query string:
This time, the
'1'='1' tautology disables both login ID and password validation, and the attacker is falsely logged in without knowing a login ID or password.
Noncompliant Code Example
In this noncompliant code example, a user name and password is read from the user and used to construct the query string. The password is passed as a char array, and then hashed, all to comply with MSC18-J Store passwords using a hash function and MSC10-J. Limit the lifetime of sensitive data.
If passed the attack string for
login described above, the
evaluate() method call returns the corresponding login node in the XML file, causing the
login() method to return
true and bypass any authorization.
Compliant Solution (
XPath injection can be prevented by adopting defenses similar to those used to prevent SQL injection:
- Treat all user input as untrusted and perform appropriate sanitization.
- When sanitizing user input, verify the correctness of the data type, length, format and the content. For example, use a regular expression that checks for XML tags and special characters in user input. This corresponds to input sanitization. See guideline IDS00-J. Always validate user input for additional details.
- In a client-server application, perform validation at both the client and the server side.
- Extensively test applications that supply, propagate, or use user input.
An effective prevention technique for preventing the related issue of SQL injection is parameterization, whereby user-specified data is passed to an API as a parameter, thus ensuring that user-specified data is never interpreted as executable logic. Unfortunately, Java SE currently lacks an analogous interface for XPath queries. SQL parameterization can be emulated by using an interface (such as
XQuery) that supports specifying a query statement in a separate file that is supplied at runtime.
Input File: login.qry
This compliant solution uses a query specified in a text file by reading the file in the required format and then entering values for the user name and password in a
XQuery library constructs the XML query from these elements.
Using this method, the data specified in the
password fields cannot be interpreted as executable content at runtime.
In addition, OWASP [OWASP 2005] recommends
[Prevention of XPath injection] requires the following characters to be removed (ie prohibited) or properly escaped:
< > / ' = "to prevent straight parameter injection
- XPath queries should not contain any meta characters (such as
' = * ? //or similar)
- XSLT expansions should not contain any user input, or if they do, that you comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.
Failure to validate user input may result in information disclosure and execution of unprivileged code.
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
[Fortify 2008] "Input Validation and Representation: XML Injection"
[MITRE 2009] CWE ID 643 "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"
[OWASP 2005] Testing for XPath Injection
[Sun 2006] Ensure Data Security