CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
View on MITREExtended Description
The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Controlling application flow (e.g. bypassing authentication).
Scope
Impact
The attacker could read restricted XML content.
Mitigation Strategies
Phase
Description
Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.
Phase
Description
Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
Consider the following simple XML document that stores authentication information and a snippet of Java code that uses XPath query to retrieve authentication information:
The Java code used to retrieve the home directory based on the provided credentials is:
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')?+
CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).
What are the security consequences of Improper Neutralization of Data within XPath Expressions ('XPath Injection')?+
If exploited, CWE-643 (Improper Neutralization of Data within XPath Expressions ('XPath Injection')) it can compromise Access Control and Confidentiality, leading to outcomes such as Bypass Protection Mechanism and Read Application Data.
How do you prevent or mitigate Improper Neutralization of Data within XPath Expressions ('XPath Injection')?+
Recommended mitigations for CWE-643 include: Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane. Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.
Which programming languages are affected by Improper Neutralization of Data within XPath Expressions ('XPath Injection')?+
CWE-643 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-643 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.