XML Injection and XPath Injection

What is it

This vulnerability applies to data that is stored in XML format (XPath is a way to traverse the XML database like SQL for DBMS). Like SQL injection, XPath injection would allow people to inject XPath elements into user input thereby gaining access to data or information.

How serious is it

XPath injection vulnerabilities are very serious because one can view any data under the current security context bypassing the existing security controls.

The impact of command injection may result in

  • Gaining access to the data contained in your system (loss of Confidentiality)
  • Possible loss of data (loss of Availability)
  • Elevating the privilege if they are stored in XML files.

The amount of data an attacker can retrieve depends on multiple factors like his creative skills, system design and implementation.

How to prevent
Sanitize User Input. Never generate XPath elements by directly using user inputs. A better idea is to not trust any user input and sanitize it. Every language worth its salt has some sanitization library in place. OWASP ESAPI (The OWASP Enterprise Security API) libraries are also available for all major languages and could be used.

  • Use Web Application Firewall
  • Use a WAF to create a protection shield without any change in existing applications. A web application firewall will help you identify & stop any attacks (Note that they may need to be configured properly in order to provide maximum value).
  • Use Least Privilege Access.
  • Limit access to data by implementing techniques such as Role Based Access Control (RBAC). Do not allow every user to be able to run all queries as this could result in abuse of privileges.

Implement Secure Software Development Lifecycle (SSDLC)

Secure Coding guidelines although critical form ONLY a piece of the puzzle. In order to ensure that applications are secure from XML / XPath injection, security need to be bolted right from the requirements stage and should extrapolate across every other stage be it Design, Coding, Review, Testing, Release or implementation.