![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/thumbnails\/23\/xpath-injection-vulnerabilities.jpg\")
<\/p>\n<\/p>\n
<\/div>\nWhen developers need to query an XML database, they use XML Path Language (XPath) to construct these queries. An XPath query searches the XML document to find nodes that match a specified pattern or have particular attributes. XML databases remain a common means of storing user data. When a user supplies their login ID and password, they trigger the preconfigured XPath query, which searches the database for the matching credentials and supplies access if the provided combination exists.<\/p>\n
However, the ability to trigger an XPath query via user-supplied information introduces the risk of XPath injection attacks. These attacks occur when specially constructed XPath queries gain access to the XML data structure. Malicious actors can take advantage of user input fields to inject arbitrary XPath code that can access or modify the XML document data. This means that, even if the attacker cannot retrieve passwords (if the database only contains password hash values), they can still use the discovered XML structure to cause additional harm.<\/p>\n
In this article, you\u2019ll view some example code to discover how XPath injection attacks work and learn some best practices for preventing and mitigating them.<\/p>\n
The risks of XPath injection<\/span><\/p>\n XPath injection attacks are one of the most prevalent and dangerous web application vulnerabilities. A successful attack can have several potential consequences, including:<\/p>\n The consequences of such attacks can ruin the reputation of your application and your users. Therefore, you need to be conscious of the risks associated with XPath injection attacks and take the necessary measures to mitigate them. In the next section, you\u2019ll examine a sample XPath injection attack to learn how to best defend against them.<\/p>\n How XPath injection works<\/span><\/p>\n This section reviews how XPath queries work, provides a hands-on demonstration of an XPath injection attack, and how to mitigate or prevent these attacks.<\/p>\n How XPath queries work<\/b><\/p>\n Imagine an application that enables users to search for items in an XML file. To enable this function, the application uses the following expression:<\/p>\n \/\/*[contains(text(), $search)]<\/span><\/p>\n In this query, the user-supplied string replaces the $search<\/span> variable. The query then searches the XML document for all text strings that match this input. When it executes, the application will work as expected.<\/p>\n However, this type of query is vulnerable to attackers who can enter malicious XPath code that allows them to bypass the XML document hierarchy. Consequently, they may access or even modify the XML data in unforeseen and dangerous ways.<\/p>\n For example, the knowledgeable attacker can use the user input form to inject the following XPath code into the query\u2019s $search<\/span> variable:<\/p>\n a’ or true() or ‘<\/span><\/p>\n As a result, the application constructs and executes the following XPath query:<\/p>\n \/\/*[contains(text(), ‘a’ or true() or ”)]<\/span><\/p>\n A query of this type would match all nodes in an XML document, and depending on the program, might allow the attacker to access and modify any data the document contains.<\/p>\n Additionally, an attacker can ascertain an XML document\u2019s structure, which can potentially enable them to navigate among several layers of the contained data. When this type of access is the goal, malicious actors tend to use one of the following two XPath injection methods:<\/p>\n Sample XPath injection vulnerabilities<\/b><\/p>\n To see how XPath injections emerge and function, you\u2019ll create a demo application vulnerable to these attacks. You\u2019ll create a demo application that checks the user-supplied input to return data from an XML document.<\/p>\n Say you\u2019re working with an e-commerce platform and that you maintain a list of your customers (users), each of which is identified using a username. To connect your orders with their purchasers, you use an application to search for the username to return the orders they are associated with, as listed on the order status page.<\/p>\n Below is an XML data construct called orders_data.xml<\/span>, which will represent this scenario.<\/p>\n <users><\/span><\/p>\n <orders> <orders> <orders> <\/users><\/span><\/p>\n You\u2019ll use JavaScript to execute the above data and create a basic application that allows users to query the data using inputs they supply.<\/p>\n In the same directory, run the following command to initialize Node.js,<\/a> a JavaScript runtime:<\/p>\n npm init \u2013y<\/span><\/p>\n Then, you\u2019ll need to use need the following to execute XML. Note that they\u2019re both included in Node.js:<\/p>\n XPath<\/a>\u2014For DOM implementation and helper for JavaScript that supports XPath query strings Open a terminal to your app directory and run the following command:<\/p>\n npm i xpath xmldom<\/span><\/p>\n In the same directory, create an index.js<\/span> file and execute the XML data as follows:<\/p>\n First, import the required dependencies:<\/p>\n const fs = require(‘fs’); Then, create a simple readline module to allow user-supplied inputs:<\/p>\n async function enterOrder(){ Create a function to execute XML query and return data from the input using the code below:<\/p>\n async function xpath_injection_example(){<\/span><\/p>\n const xml = fs.readFileSync(‘orders_data.xml’,’utf-8′); \/\/ execute this function In the above example, the query \/users\/orders[username = ‘${order}’]\/order<\/span> will be executed. The order elements are children of orders with a username element, where the value is equal to the variable supplied in the user input.<\/p>\n [username = ‘${order}’]<\/span> specifies a predicate condition that must be satisfied by the selected elements. In this case, the predicate specifies that the username element must have a value equal to the value of the order variable.<\/p>\n This way, the order element is selected as a child of the orders element that satisfies the predicate. Now run the following command to execute this program:<\/p>\n node index.js<\/span><\/p>\n This will allow you to enter the username, just like a user would have used a search-supplied input.<\/p>\n Enter a username in your orders_data.xml<\/span> file, as shown below. This should display the associated order. Otherwise, a \u201cUser does not exist\u201d message will be displayed if the username doesn\u2019t exist.<\/p>\n Enter the username michael_read Exploring XPath injection vulnerabilities<\/b><\/p>\n This application is working as it should. However, an attacker with malicious intentions can run arbitrary XPath queries using the supplied user input to get access without needing a valid username.<\/p>\n The application is vulnerable to malicious code injection. The predicate [username = ‘${order}’]<\/span> is the target for the attacker here. An attacker can construct a query that evaluates this expression to satisfy its condition. Using the injected code, the query will evaluate to true and allows the attacker to gain access without supplying the correct username.<\/p>\n Here are some arbitrary queries that can allow attackers to maneuver around the data hierarchy using the user-supplied input:<\/p>\n Here is how to execute all of the above arbitrary queries using a’ or true() or ‘<\/span> as the example:<\/p>\n Enter the username a’ or true() or ‘ Mitigating XPath injections<\/b><\/p>\n As you can see in the example above, properly constructed injections mean that an attacker can too easily access restricted data. So, this section explores how you can patch common vulnerabilities and mitigate the risks associated with XPath injections.<\/p>\n This attack takes advantage of a lack of proper variable parameter binding in the application\u2019s code. The application concatenates user-supplied input directly into an XPath query without adequately validating or sanitizing the input. This is where the attacker can insert malicious XPath statements into the query to access sensitive information from the XML database.<\/p>\n To mitigate this, the best strategy is to use parameter binding to prevent injection. To accomplish this, you can use a regular expression that removes any characters that are not letters or numbers. This method prevents potential attackers from constructing arbitrary queries.<\/p>\n To sanitize and prevent XPath injection vulnerabilities in this example, use the following code:<\/p>\n async function enterOrder(){ }catch(err){ async function xpath_injection_example(){<\/p>\n const xml = fs.readFileSync(‘orders_data.xml’,’utf-8′); \/\/ execute this function The above code uses regex to detect and filter non-alphanumeric characters. If the supplied input has such characters, the application will stop any further execution and provide the message, \u201cInvalid characters not allowed.\u201d However, if the input passes this test, the application will proceed and execute the query with the supplied input. You can test the code with the arbitrary queries discussed in the section above.<\/p>\n Although you can sanitize user inputs, an attacker could still use other techniques to bypass this filter.<\/p>\n It\u2019s virtually impossible to escape all potentially exploitable characters using regex expressions. In cases like user authentication, the application requires users to provide passwords that may contain such characters. This means that sanitizing user inputs is not wholly reliable.<\/p>\n Another alternative is to use parameterized XPath queries, as shown below:<\/p>\n const evaluator = xpath.parse(`\/users\/orders[username = $order]\/order`);<\/span><\/p>\n const character = evaluator.select1({<\/p>\n node: doc, However, this approach contains a dynamic XPath expression constructed using string interpolation, which can also be constructed from user-supplied data. Therefore, this method may not be sufficient to fully protect against XPath injection.<\/p>\n Using precompiled XPath queries<\/b><\/p>\n You can use a precompiled XPath query to avoid dynamic XPath expression. This is achieved by defining the XPath expression as a separate variable and then passing it when it is needed.<\/p>\n The precompiled XPath query uses a variable to represent the user-provided input. This ensures they aren’t constructed from user-supplied data. Thus, an attacker cannot run any arbitrary code to gain access. Here is an example of how to use a precompiled XPath query:<\/p>\n\n
\n
<username>johndoe<\/username>
<order>Custom Xbsg Item#3668<\/order>
<timestamp>1671301351<\/timestamp>
<reference>HS0282<\/reference>
<code>gwr23d2has3fa13gs24<\/code>
<\/orders><\/span><\/p>\n
<username>michael_read<\/username>
<order>Archep Cores Item#668<\/order>
<timestamp>1671301351<\/timestamp>
<reference>HS0282<\/reference>
<code>gwr23d2has3fa13gs24<\/code>
<\/orders><\/span><\/p>\n
<username>adammrray<\/username>
<order>Partial CoSum Item#92623<\/order>
<timestamp>1671301351<\/timestamp>
<reference>HS0282<\/reference>
<code>gwr23d2has3fa13gs24<\/code>
<\/orders><\/span><\/p>\n
XMLDOM<\/a>\u2014For JavaScript implementation of DOM for Node.js that supports the XML Parser interface<\/p>\n
const xpath = require(‘xpath’);
const dom = require(‘xmldom’).DOMParser;
const util = require(‘util’);
const readline = require(‘readline’).createInterface({
input: process.stdin,
output: process.stdout
});<\/span><\/p>\n
let question = util.promisify(readline.question).bind(readline);
try{
const order = await question(“Enter the username”);
return order;
}catch(err){
err;
}
}<\/span><\/p>\n
const doc = new dom().parseFromString(xml);
var order = await enterOrder();
if(order){
const evaluator = xpath.parse(`\/users\/orders[username = ‘${order}’]\/order`);
const character = evaluator.select1({
node: doc,
variables: {
order
}
});
if(character){
console.log(character.textContent);
}else{
console.log(“User does not exist”);
}
}
}<\/p>\n
xpath_injection_example()<\/p>\n
Archep Cores Item#668<\/span><\/p>\n\n
Archep Cores Item#668<\/span><\/p>\n
let question = util.promisify(readline.question).bind(readline);
const regex = \/[^a-z0-9]\/g;
try{
const order = await question(“Enter the username “);
if(regex.exec(order)){
console.log(“Invalid characters not allowed”);
}
else{
return order;
}<\/span><\/p>\n
err;
}
}<\/p>\n
const doc = new dom().parseFromString(xml);
var order = await enterOrder();
if(order){
const evaluator = xpath.parse(`\/users\/orders[username = ‘${order}’]\/order`);
const character = evaluator.select1({
node: doc,
variables: {
order
}
});
if(character){
console.log(character.textContent);
}else{
console.log(“Order number does not exist”);
}
}
}<\/p>\n
xpath_injection_example()<\/p>\n
variables: {
order: order
}
});<\/span><\/p>\n