Reading time: 10 minutes
XPath Injection is an cyber attack used to fetch sensitive data (stored in XML format) from a website, by injecting malicious XPath queries. This attack works for applications that leverage user-supplied information to construct XPath queries.
Procedure For The Attack
- In an XPath Injection attack, the hacker first identifies a website that stores the sensitive customer information in XML format and tries to extract the structure of one or more XML documents in the site.
- The attacker further crafts a malicious XPath query in such a way that it has the effect desired by the attacker, like revealing out the credentials stored on the server.
- This eventually allows the hacker to steal the sensitive information stored on the website, like credit card numbers, or other financial details.
Mitigation For The Attack
Use a parameterized XPath interface whenever possible. Construct Xpath query dynamically and validate the user inputs properly before passing it to the expression. Reject all input values that do not comply with the whitelist, or sanitize them properly before passing them. Perform proper testing to check for any malicious XPath parameters that could compromise the system. Do both client and server-side validation.