Xpath Injection
July 1, 2008 – 10:11 AMYesterday I wrote a quick proposal for the Synapse project. Since not everyone has access to the Synapse project, I will share some ideas here from time to time. I started with a proposal on how to detect Xpath vulnerabilities. Since Xpath can be used in combination with every server-side language, it is easy to write a detection flow for most languages. XPath injection attacks are similar to regular SQL injection, it is possible to inject the same kind of vectors as we normally do with a slight difference in ending syntax in most cases. This document proposes a technique on how to find them, it does not include a method in looking around a vulnerability in order to determine if functions are being called, nor variable correlation. This will be incorporated in a later phase since I like to have different levels of detecting vulnerabilities. As such this is to be treated as a loose method in locating Xpath injections. Xpath has no protection for injection, and thus it can be found in many software where programmers do not escape or use parametrized queries.
