Another injection attack. As querying XML with XPath gets more widely adopted (e.g. the XML DataSource in .NET 2.0) this could become a serious problem.
Just follow the best practices to mitigate all the other injection attacks (that is sanitize user input), and you’ll be safe (well – sort of :)
Some “advantages” of XPath Injection:
- Since XPath is a standard (yet rich) language, it is possible to carry the attack ‘as-is’ for any XPath implementation. This is in contrast to SQL injection where different implementations have different SQL dialects (there is acommon SQL language, but it is often too weak).
- The XPath language can reference practically all parts of the XML document without access control restrictions, whereas with SQL, a “user” (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. So the outcome of the Blind XPath Injection attack is guaranteed to consist of the complete XML document, i.e. the complete database.
leastprivilege.com 