XPath Injection
What is XPath Injection?
XPath InjectionAn injection flaw in which untrusted input alters an XPath query against an XML document, allowing data exfiltration or authentication bypass.
XPath injection occurs when an application builds XPath queries against an XML document by string-concatenating user input, similarly to classic SQL injection. An attacker can break out of the intended expression with quotes, boolean tautologies like ' or '1'='1, or comments to extract arbitrary nodes, bypass login forms backed by XML user stores, or perform blind exfiltration through boolean and timing oracles. The flaw is most common in legacy SOAP services, configuration backends, and applications that store credentials in XML files. Defenses include parameterized XPath APIs (where available), strict input validation against an allow-list, and migrating sensitive lookups to safer data stores.
● Examples
- 01
Login query: //user[name/text()='admin' or '1'='1' and password/text()='x'] bypasses authentication.
- 02
Blind XPath exfiltration via boolean conditions like substring(//secret,1,1)='a'.
● Frequently asked questions
What is XPath Injection?
An injection flaw in which untrusted input alters an XPath query against an XML document, allowing data exfiltration or authentication bypass. It belongs to the Attacks & Threats category of cybersecurity.
What does XPath Injection mean?
An injection flaw in which untrusted input alters an XPath query against an XML document, allowing data exfiltration or authentication bypass.
How does XPath Injection work?
XPath injection occurs when an application builds XPath queries against an XML document by string-concatenating user input, similarly to classic SQL injection. An attacker can break out of the intended expression with quotes, boolean tautologies like ' or '1'='1, or comments to extract arbitrary nodes, bypass login forms backed by XML user stores, or perform blind exfiltration through boolean and timing oracles. The flaw is most common in legacy SOAP services, configuration backends, and applications that store credentials in XML files. Defenses include parameterized XPath APIs (where available), strict input validation against an allow-list, and migrating sensitive lookups to safer data stores.
How do you defend against XPath Injection?
Defences for XPath Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for XPath Injection?
Common alternative names include: XPath query injection.
● Related terms
- attacks№ 1084
SQL Injection
A code-injection attack that smuggles attacker-controlled SQL into a database query, letting the attacker read, modify, or destroy data.
- attacks№ 612
LDAP Injection
An injection attack that manipulates LDAP search filters or DNs through unsanitized input to bypass authentication or read directory data.
- attacks№ 1255
XML Injection
An attack that inserts malicious XML tags, attributes, or XPath fragments into an application's XML processing to alter logic or extract data.
- attacks№ 1257
XXE Attack
An attack against XML parsers that abuses external entity resolution to read files, scan internal networks, or trigger denial of service.
- appsec№ 538
Input Validation
The server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application.
- attacks№ 202
Command Injection
An attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands.