/vulndb/XPATH Injection

XPATH Injection is a Code Injection technique which is used when an application uses user supplied data to craft XPATH queries to retrieve and write data stored in XML form.

An attacker may inject malformed payload to alter XPATH queries to find out how the XML data is structured or to retrieve data that he may not normally have access to. It may also be possible to invoke XPATH functions which could allow arbitrary file read operations and other kinds of attacks, depending on the XPATH processor.

Solution

Sanitise all user-supplied data for special character sequences like single quotes and double quotes. It is recommended to find out what standard functions exists as part of your development platform, which can be used to prepare safe XPATH queries.

References

https://www.owasp.org/index.php/XPATH_Injection