XPath Injection mirrors SQL Injection but targets XML databases. Unlike SQL, XPath enforces no ACLs — a successful injection can return the entire XML document. When user input is embedded directly in XPath queries without sanitisation, attackers can bypass authentication or extract all data.
Attack Example
Normal authentication query:
//user[id/text()='Mr. X' and password/text()='XYZ123']
After injecting ' or 'a' = 'a in the password field:
//user[id/text()='Mr. X' and password/text()='' or 'a' = 'a']// Always evaluates to TRUE → authentication bypassed
ASP.NET Vulnerable Pattern
XPathExpression expr = nav.Compile( "string(//user[name/text()='" + TextBox1.Text + "' and password/text()='" + TextBox2.Text + "']/account/text())");// If TextBox1.Text = "' or 1=1 or ''='"// Returns ALL account numbers in the XML document
Prevention Guidance
- Validate input on both client and server.
- Strip all meta-characters:
< > / ' = " - XPath queries must never contain user-controlled meta-characters (
' = * ? //). - Deploy a Web Application Firewall (WAF) in front of the site.
Source: IBM SRM Tip #09.08.01 — Original date: 04 Aug 2009. Authored by Sasikanta Pradhan, CEH®, IBM Security Risk Management Operations Team — India/SA.
CISSP Made Easy 