It’s important to know that XML is just as susceptible as HTML and other formats to code injection methods. As XML is very generous when it comes to accepting poor typing and XPath parsers are merciful to input data, XML is all the more at risk. As per Wikipedia, injection attacks are “… a technique to introduce (or “inject”) code into a computer program or system by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs. The purpose of the injected code is typically to bypass or modify the originally intended functionality of the program. When the functionality bypassed is system security, the results can be disastrous.”
XPath is a language for finding information in an XML document and includes path expressions to select attributes, elements or text nodes; the XPath name is derived from the use of path expressions similar to URLs for navigating XML documents. This process uses syntax for defining parts of these documents and contains a library of over 100 built-in standard functions including string values, numeric values, date and time comparison, node and QName manipulation, sequence manipulation, and Boolean values.
The XPath injection attack vector operates in an analogous way to SQL injection. Most Web-based applications leverage relational databases to store and retrieve information.Â In turn authentication is typically used where the login process will invariably use a table with IDs, names, and passwords. In a SQL injection attack the hacker injects code such that regardless of the subsequent user credentials, the system will see a match and the hacker gains unfettered access to the database. With XPath, the environment is similar except that there is a XML file present with user information. In an XPath injection attack hackers tack on malicious XPath queries to forms, URLs, among others, to bypass authentication and obtain access to confidential data. Once compromised this information is leaked and often maliciously modified. With XPath 2.0 taking over from the first generation, the list of injection and other XML hacker concerns only go up!