XPath Injection

ID

kotlin.xpath_injection

Severity

high

Resource

Injection

Language

Kotlin

Tags

CWE:643, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1

Description

Improper neutralization of data within XPath expressions ('XPath Injection').

XPath is a query language used to select nodes from XML documents. Similar to SQL injection, XPath Injection involves manipulating the structure of queries using user-supplied input. When the software fails to sanitize input properly, attackers can insert malicious characters or expressions that alter the intended query, potentially exposing sensitive information or allowing access to unauthorized data.

Rationale

If the software uses untrusted input to dynamically construct the XPath expression used to retrieve data from an XML source, but it does not neutralize or incorrectly neutralizes that input, it is vulnerable to XPath Injection. This allows an attacker to control the semantics of the query.

The attacker will have control over the information selected from the XML database and can control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

Consider the following Kotlin code example demonstrating a potential XPath Injection vulnerability:

import javax.xml.xpath.XPath
import javax.xml.xpath.XPathFactory
import org.w3c.dom.Document
import org.xml.sax.InputSource
import javax.xml.parsers.DocumentBuilderFactory
import java.io.StringReader

class XPathInjectionExample {

    @Throws(Exception::class)
    fun getUserInfo(username: String): String {
        val factory = DocumentBuilderFactory.newInstance()
        val builder = factory.newDocumentBuilder()
        val doc: Document = builder.parse(InputSource(StringReader(loadXML())))

        val xpath: XPath = XPathFactory.newInstance().newXPath()
        // Vulnerable to XPath Injection
        val expression = "/users/user[username/text()='$username']/info/text()"
        return xpath.evaluate(expression, doc)
    }

    private fun loadXML(): String {
        // Simulate loading of an XML string
        return "<users><user><username>user1</username><info>info1</info></user></users>"
    }
}

In this example, username is included directly in the XPath expression without any sanitization. An attacker could manipulate the input to inject additional XPath logic, resulting in unauthorized access to XML data.

Remediation

To protect applications from XPath Injection vulnerabilities, apply the following remediation strategies:

  • Input validation and canonicalization: Rigorously validate and canonicalize all user inputs before using them in XPath expressions to reduce the risk of injection attacks.

  • Parameterized XPath queries: Utilize libraries or techniques that support parameterized XPath queries where possible. Although not as widely available as parameterized SQL queries, parameterization helps isolate user inputs from query logic.

  • Escaping user input: Properly escape special characters in user inputs that are used within XPath expressions to prevent them from altering the query. For example, replacing ' (quote) with &apos;, its encoded version. Please note that escaping alone is not recommended and should be used in conjunction with other measures.

import org.apache.commons.text.StringEscapeUtils
import javax.xml.xpath.XPath
import javax.xml.xpath.XPathFactory
import org.w3c.dom.Document
import org.xml.sax.InputSource
import javax.xml.parsers.DocumentBuilderFactory
import java.io.StringReader

class SecureXPathExample {

    @Throws(Exception::class)
    fun getUserInfo(username: String): String {
        val factory = DocumentBuilderFactory.newInstance()
        val builder = factory.newDocumentBuilder()
        val doc: Document = builder.parse(InputSource(StringReader(loadXML())))

        val xpath: XPath = XPathFactory.newInstance().newXPath()
        // Secure by escaping user input
        val safeUsername = StringEscapeUtils.escapeXml10(username)
        val expression = "/users/user[username/text()='$safeUsername']/info/text()"
        return xpath.evaluate(expression, doc)
    }

    private fun loadXML(): String {
        // Simulate loading of an XML string
        return "<users><user><username>user1</username><info>info1</info></user></users>"
    }
}

  • Security Libraries and Frameworks: Leverage security libraries and frameworks that offer pre-built defenses against various types of injection attacks, including XPath Injection.

By carefully validating, escaping, and managing input data, Kotlin applications can effectively mitigate the risks associated with XPath Injection, ensuring secure and reliable data access within XML documents.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

  • CWE-643 : Improper Neutralization of Data within XPath Expressions ('XPath Injection').

  • OWASP Top 10 2021 - A03 : Injection.

  • SEI CERT IDS53-J - Prevent XPath Injection.