Xpath Injection

July 1, 2008 – 10:11 AM

Yesterday I wrote a quick proposal for the Synapse project. Since not everyone has access to the Synapse project, I will share some ideas here from time to time. I started with a proposal on how to detect Xpath vulnerabilities. Since Xpath can be used in combination with every server-side language, it is easy to write a detection flow for most languages. XPath injection attacks are similar to regular SQL injection, it is possible to inject the same kind of vectors as we normally do with a slight difference in ending syntax in most cases. This document proposes a technique on how to find them, it does not include a method in looking around a vulnerability in order to determine if functions are being called, nor variable correlation. This will be incorporated in a later phase since I like to have different levels of detecting vulnerabilities. As such this is to be treated as a loose method in locating Xpath injections. Xpath has no protection for injection, and thus it can be found in many software where programmers do not escape or use parametrized queries.


You must be logged in to post a comment.