2.7.4 XML and XPath Injection Attacks

Websites that use XML to store data and XML Path (XPath) as the query language for selecting nodes or to compute values in an XML document are at risk of XML and XPath injection attacks.

A XML injection attack injects malicious code is into an XML application or document. It exploits vulnerabilities including schema validation and dynamic XML generation using untrusted input. To prevent XML injection attacks, validate input against an inclusion list and perform context-sensitive encoding of input using an encoding library such as IOSec. Schema should be validated against W3C XML Schema (XSD).

A XPath injection attack injects malicious XPath queries on URLs or forms to gain access to the XML site. If an attacker can control data in an XPath statement, they can request all data in the XML file and steal, modify, or delete it. Preventing XPath injection attacks is similar to preventing SQL or LDAP injection attacks. First, all input should be sanitized and validated both on the client and on the server. Removing all single and double quotes can help but an exception needs to be made for names or addresses that legitimately contain apostrophes, for example O’Neal, D’Angelo, or L’Aquila. That input could be escaped.