An XPATH syntax character submitted in a URL parameter causes an error in the application query. This indicates that an XPath injection attack could be accomplished. These types of attacks manipulate queries from user-supplied input in order to query or navigate XML documents.
If the XPath injection attack can be used to read arbitrary data, then users' stored information such as authentication credentials, e-mail address, or financial information will be exposed.
Thus, a successful injection attack could compromise the application host and other hosts on its local network even if they are protected from the Internet by a firewall.
Several techniques can be used to block XPath injection attacks. These techniques complement each other and address security at different points in the application. The impact of an XPath injection attack is minimized by implementing multiple defense measures.
- Normalize all user-supplied data before applying filters, regular expressions, or submitting the data to a database. This means that all URL-encoded (%xx), HTML-encoded (x;), or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters.
- Implement positive filters that examine user-supplied data for expected characters. Define data types for user-supplied values and ensure that submitted data match these types, such as numeric or date. String or text values should be carefully matched to a limited subset of characters such as alpha, numeric, spaces, or certain punctuation characters as necessary. If any value received by the application contains an unexpected character, then it should be rejected.
- Negative filtering can also prevent attacks, but may be more unreliable or more difficult to implement for language sets that require non-ASCII characters. Examine all data received from the web browser for XPath syntax characters. If any of these characters are present, then they should be escaped or removed. The single quote (') or double quote (") are often used to envelope parameters in an XPath query. Other malicious characters include the asterisk, semi-colon, dash (minus sign), and parentheses. These characters could be used to prematurely end a query statement.
- Avoid string concatenation for XPath query construction. String concatenation, where the query is created programmatically by appending values together, makes an injection attack easier to accomplish because the syntax of the query can be easily disrupted by malicious characters.
- Store user-supplied values with appropriate data types within the database. For example, dates should be stored as DATE types (if available) instead of a VARCHAR string.