An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.

How does a XPath Injection attack work?

It typically unfolds over 3 phases. It begins with: [Survey the target] Using a browser or an automated tool, an adversary records all instances of user-controllable input used to contruct XPath queries.

How do you prevent CAPEC-83?

Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XPath expression. Characters such as a single-quote(') or operators such as or (|), and (&) and such should be filtered if the application does not expect them in the context in which they appear. If such content cannot be filtered, it must at least be properly escaped to avoid them being interpreted as part of XPath expressions.

What weaknesses does CAPEC-83 target?

CAPEC-83 exploits 4 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')), CWE-91 (XML Injection (aka Blind XPath Injection)), CWE-707 (Improper Neutralization).

How severe is CAPEC-83?

MITRE rates CAPEC-83 as High severity with high likelihood of attack.

CAPEC-83: XPath Injection

CAPEC-83 (XPath Injection) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

CAPEC-83: XPath Injection

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-83?

How does a XPath Injection attack work?

How do you prevent CAPEC-83?

What weaknesses does CAPEC-83 target?

How severe is CAPEC-83?

References

Defend against CAPEC-83

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-83?

How does a XPath Injection attack work?

How do you prevent CAPEC-83?

What weaknesses does CAPEC-83 target?

How severe is CAPEC-83?

References

Defend against CAPEC-83