Detections
Analytics
Blind XPath Injection (differential analysis)
high Web App Scanning Plugin ID 113310
Language:
Synopsis
Blind XPath Injection (differential analysis)Description
XML Path Language (XPath) queries are used by web applications for selecting nodes from XML documents. Once selected, the value of these nodes can then be used by the application.A simple example for the use of XML documents is to store user information. As part of the authentication process, the application will perform an XPath query to confirm the login credentials and retrieve that user's information to use in the following request.
XPath injection occurs where untrusted data is used to build XPath queries.
Cyber-criminals may abuse this injection vulnerability to bypass authentication, query other user's information, or, if the XML document contains privileged user credentials, allow the cyber-criminal to escalate their privileges.
Scanner injected special XPath query characters into the page and based on the responses from the server, has determined that the page is vulnerable to XPath injection.
This injection was detected as scanner was able to inject specific XPath queries, that if vulnerable, result in the responses for each injection being different. This is known as a blind XPath injection vulnerability.
Solution
The preferred way to protect against XPath injection is to utilise parameterized (also known as prepared) XPath queries. When utilising this method of querying the XML document any value supplied by the client will be handled as a string rather than part of the XPath query.An alternative to parameterized queries it to use precompiled XPath queries. Precompiled XPath queries are not generated dynamically and will therefor never process user supplied input as XPath.
See Also
http://projects.webappsec.org/w/page/13247005/XPath%20Injection
Plugin Details
Severity: High
ID: 113310
Type: remote
Family: Injection
Published: 8/8/2022
Updated: 2/21/2024
Scan Template: api, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 4.7
CVSS v2
Risk Factor: High
Base Score: 9
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P
CVSS Score Source: Tenable
CVSS v3
Risk Factor: High
Base Score: 8.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVSS Score Source: Tenable
Reference Information
CWE: 91
OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3
WASC: XPath Injection
DISA STIG: APSC-DV-002550
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-SI-10
OWASP API: 2019-API8
OWASP ASVS: 4.0.2-5.3.10
PCI-DSS: 3.2-6.5.1