Live Active security incident? Get immediate response
CWE Reference

CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Official CWE-643 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.

Release 4.20weaknessIncomplete
Search CWE CWE Dictionary

Glexia's Take

CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Improper Neutralization of Data within XPath Expressions ('XPath Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Access Control: Bypass Protection Mechanism: Controlling application flow (e.g. bypassing authentication).
  • Confidentiality: Read Application Data: The attacker could read restricted XML content.

Developer Pattern

CWE-643 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Confidence

high confidence from CWE-643, 4.20.

Official CWE Definition

CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

Type
weakness
Abstraction
Base
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • Consider the following simple XML document that stores authentication information and a snippet of Java code that uses XPath query to retrieve authentication information: The Java code used to retrieve the home directory based on the provided credentials is:,Assume that user "john" wishes to leverage XPath Injection and login without a valid password. By providing a username "john" and password "' or ''='" the XPath expression now becomes,This lets user "john" login without a valid password, thus bypassing authentication.

Remediation

  • Implementation: Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.
  • Implementation: Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.

Detection

  • Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.