AppSec Tales XXIII | XPathI

Karol Mazurek
4 min readNov 18, 2023

Application Security Testing for XPath Injections.

INTRODUCTION

The article describes how to test the application to find XPath Injections, which occur when a website uses user-supplied data to construct an XPath (XML Path Language) query for XML data.

XPath is a query language that navigates and selects elements and attributes within XML structures. By using location steps, axes, and predicates, XPath enables efficient traversal of XML documents.

Below are some examples of how to use XPath:

## Selecting Elements:
# All book elements
/bookstore/book

# The first author within a book
/bookstore/book[1]/author

## Using Wildcards:
# All elements in the document
//*

# All title elements at any level
//title

## Predicates for Filtering:
# Book elements published after 2022
/bookstore/book[@year > 2022]

# The second chapter within a book
/bookstore/book/chapter[2]

## Navigating Axes:
# The parent book of a chapter element
/bookstore/book/chapter/..

# All preceding paragraph elements before the current paragraph
preceding-sibling::paragraph

## Conditional Selection:
# Book elements with a price less than $40
/bookstore/book[price < 40]

## Text Content Selection:
# The text content of a title element
/bookstore/book/title/text()

Currently, there are four versions of XPath, and they are described on W3C.
Check also the Xpath cheatsheet on devhints.io.

GUIDELINES

In the below guidelines, I assume that you identified the application entry points described in the AppSec Tales XI | Input Validation:

After testing for the SQL, NoSQL and LDAP query injections, you will likely find some clues for the XPath Injection vulnerability:

--

--