alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

Do XPath injection attacks require the same response as SQL injections?

XPath injection attacks are slightly different (and more dangerous) than SQL injections. In this Q&A, application expert Michael Cobb reveals the preventative steps that can protect your systems from either type of assault.

How do XPath injection attacks differ from SQL injection attacks? Would SQL injection mitigating techniques protect against XPath injection attacks?
XPath (XML Path Language) 1.0 is an expression language that many applications use to carry out operations based on the content in an XML document. An XML document serves as the database, and the XPath query is used to access the data within the document. The benefits to using an XML database instead of a conventional database include portability, compatibility, re-usability and structured formatting.

While the syntax of an XPath expression is similar in many ways to an SQL query, XPath injection is more dangerous than SQL injection. When Web applications construct XPath queries without first validating user-supplied data, XPath injections can exploit these applications. An attacker can inject data into a query, thereby changing its semantics. By inserting a series of Boolean queries – crafted expressions that produce a value of "true" or "false" – the attacker can iterate through all the nodes of the document. Using such techniques, even an attacker who has no prior knowledge of the XPath query can retrieve a complete XML database document.

Most databases provide some level of access and privilege controls, restricting users to certain tables, fields or queries. This restriction generally limits an attacker to the application's database account. XPath provides no access control for the database document, so an attacker can query all XML objects within it. Also, since XPath is a standard language, an attacker can create an automated attack to fit any XPath-based application. Because of SQL's many variants, SQL injection attacks must be customized for the particular version of SQL being targeted.

Measures taken to defend against SQL injection do in fact help protect against XPath injection. To review, here are a few preventative steps to take. First, your application must validate and sanitize all user input. Second, assume all data is from an un-trusted source; before it's used by your scripts, data access routines and XPath queries, validate the data for type, length, format and range. It's also worth noting that this validation must be performed on the server-side, not the client-side, since client-side validation is easily bypassed. Unfortunately, there isn't a native XPath equivalent to parameterized queries, and for that reason, XPath queries have to be constructed using string-building techniques. This makes validating user-supplied input all the more important. Testing whether your application is vulnerable to XPath injection is easy. Just add a single quotation mark within the data sent to your server, and see if an error occurs. If it does, then it's likely that an XPath injection is possible. The XPath 2.0 specification, which is in the final stages of the World Wide Web Consortium (W3C)'s approval process, offers a greatly expanded set of functions and capabilities, but sadly no increased security.

More information:

  • Use this XML Security Learning Guide to improve your Web services.
  • Prevent blind SQL injection attacks.

This was last published in January 2007

Dig Deeper on Web application and API security best practices