The XML Path Language (XPath) is an interpreted language used to navigate around XML documents and to retrieve data from within them. In most cases, an XPath expression describes a sequence of steps that are required to navigate from one node of a document to another.
Where web applications save data within XML documents, they may use XML Path Language to access the data in response to the user-supplied input. If this input is inserted into the XPath query without any filtering or sanitization, an attacker may be able to manipulate the query to interfere with the application’s logic or retrieve data for which she is not authorized. XML documents generally are not a preferred vehicle for storing enterprise data.
However, they are frequently used to store application configuration data that may be retrieved on the basis of user input. They may also be used by smaller applications to persist simple information such as user credentials, roles, and privileges.
Consider the following XML data store:
<addressBook>
<address>
<firstName>William</firstName>
<surname>Gates</surname>
<password>MSRocks!</password>
<email>[email protected]</email>
<ccard>5130 8190 3282 3515</ccard>
</address>
<address>
<firstName>Chris</firstName>
<surname>Dawes</surname>
<password>secret</password>
<email>[email protected]</email>
<ccard>3981 2491 3242 3121</ccard>
</address>
<address>
<firstName>James</firstName>
<surname>Hunter</surname>
<password>letmein</password>
<email>[email protected]</email>
<ccard>8113 5320 8014 3313</ccard>
</address>
</addressBook>An XPath query to retrieve all e-mail addresses would look like this:
//address/email/text()
A query to return all the details of the user Dawes would look like this:
//address[surname/text()=’Dawes’]
In some applications, user-supplied data may be embedded directly into XPath queries, and the results of the query may be returned in the application’s response or used to determine some aspect of the application’s behavior.
Simply, XPath Injection is an attack method used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.