After doing some videos and book reviews, Chris is back to writing articles with a great introduction to yet another security topic. This time it is a little known issue with XML files. Read on and be educated.
Permanent link: [Article]-Intro to XPath Injection
By Chris Gates, CISSP, CPTS, CEH
WTF is XPath Injection? Data can be stored in a XML file instead of an SQL Database. To sort through complex XML documents, developers created the XPath language.http://www.w3.org/TR/xpath
XPath is a query language for XML documents, much like SQL is a query language for databases. Instead of tables, columns, and rows XML files have nodes in a tree. And like SQL, XPATH also had the potential for injection issues if queries are not properly sanitized.
Why is XPath Injection so dangerous?
- XPath 1.0 is a standard language. SQL has many dialects all based on a common, relatively weak syntax.
- XPath 1.0 allows one to query all items of the database (XML objects). In some SQL dialects, it is impossible to query for some objects of the database using an SQL SELECT query (e.g. MySQL does not provide a table of tables).
- XPath 1.0 has no access control for the database , while in SQL, some parts of the database may be inaccessible due to lack of privileges to the application.
As always, please send in your feedback,