as part of a larger operation such as applying an XSLT transformation

to an XML document, or applying an XQuery to an XML document.

The syntax of XPath bears some resemblance to an SQL query, and

indeed, it is possible to form SQL like queries on an XML document

using XPath. For example, assume an XML document that contains

elements by the name user, each of which contains three

subelements   name, password and account. The following XPath

expression yields the account number of the user whose name is

"jsmith" and whose password is "Demo1234" (or an empty string if no

such user exists):

string(//user[name/text()= jsmith  and

password/text()= Demo1234 ]/account/text())

If an application uses run time XPath query construction, embedding

unsafe user input into the query, it may be possible for the attacker to

inject data into the query such that the newly formed query will be

parsed in a way differing from the programmer s intention.

Example

Consider a web application that uses XPath to query an XML

document and retrieve the account number of a user whose name

and password are received from the client. Such application may

embed these values directly in the XPath query, thereby creating a

security hole.

Here s an example (assuming Microsoft ASP.NET and C#):

XmlDocument XmlDoc = new XmlDocument();

XmlDoc.Load("...");

XPathNavigator nav = XmlDoc.CreateNavigator();

XPathExpression expr =

nav.Compile("string(//user[name/text()= "+TextBox1.Text+" 

and password/text()= "+TextBox2.Text+

42

" ]/account/text())");

Copyright 2004, Web Application Security Consortium. All rights reserved.