The XPath injection is an injection attack very similar to SQL injection were a web application uses user-supplied data to construct a malicious XPath query for XML. The attacker can execute this injection by sending malicious information into the web application. Through this attack, an attacker can find out how the XML data is structured and can also access sensitive data from the application. He can also change his privileges on the vulnerable web application if there are any XML data being passed to the application for authentication. There are many web applications where the attacker can inject XPath syntax into a request interpreted by the application, allowing him to execute user-controlled XPath queries. The aftermath of executing this query, allows an attacker to bypass authentication mechanisms and can access information without proper authorisation. XPath is one of the standard languages whose notations are independently implemented.
Consider the following XML code.
If the above XML code is used for authentication of the users, the application uses XPath to find the user. If an attacker sends a random username and password, the XML will return the following:-
This response from XML proves to the attacker that, the username must only be matched to get into the application. The attacker can manipulate the response to get into the system.
This vulnerability can have the following impacts:-
This vulnerability can be fixed by:-