HawkScan Test Info for XPath Injection

XPath Injection


Plugin Id: 90021 | CWE: 643


To prevent XPath Injection vulnerabilities, consider implementing the following measures:

  1. Input validation: Validate and sanitize all user-supplied input before using it to construct XPath queries. Ensure that the input adheres to the expected format and does not contain any malicious characters or sequences.

    Example in Java:

    String userInput = request.getParameter("input");
    // Validate and sanitize the input
    if (isValidInput(userInput)) {
        String xpathQuery = "//node[@attribute='" + userInput + "']";
        // Execute the XPath query
    } else {
        // Handle invalid input
  2. Parameterized queries: Instead of directly concatenating user input into the XPath query, use parameterized queries or prepared statements provided by the XPath library or framework being used. This ensures that user input is treated as data and not as part of the query structure.

    Example in C# using XPathDocument:

    string userInput = Request.QueryString["input"];
    // Create a parameterized XPath query
    XPathDocument document = new XPathDocument("example.xml");
    XPathNavigator navigator = document.CreateNavigator();
    XPathExpression expression = navigator.Compile("//node[@attribute=$input]");
    expression.SetVariable("input", userInput);
    // Execute the parameterized XPath query
  3. Least privilege: Ensure that the user or service executing the XPath queries has the minimum necessary privileges to access and modify the XML documents. Restrict access to sensitive data and operations to prevent unauthorized access or unintended modifications.


XPath Injection is an attack technique that targets applications constructing XPath queries from user-supplied input to query or navigate XML documents. XPath is a language used to select nodes from an XML document based on their properties or relationships. Attackers can exploit XPath Injection vulnerabilities to manipulate the structure of the query and potentially access unauthorized data or modify the intended behavior of the application.

XPath Injection can occur when an application fails to properly validate and sanitize user input before using it to construct XPath queries. This allows attackers to inject malicious input that alters the query’s interpretation, leading to unintended results or unauthorized access.


XPath Injection can pose several risks to the security and functionality of an application:

  1. Unauthorized data access: Attackers can manipulate the XPath query to access sensitive data that should be protected. By injecting crafted input, they can bypass access controls and retrieve information they are not authorized to view.

  2. Data modification: In addition to accessing data, attackers may modify the XPath query to alter the XML document’s content or structure. This can lead to unauthorized changes, data corruption, or even system compromise.

  3. Information disclosure: If an application provides detailed error messages that include XPath query information, attackers can exploit this to gain insights into the application’s structure, potential vulnerabilities, or sensitive data.

  4. Denial of Service (DoS): By injecting complex or resource-intensive XPath queries, attackers can cause excessive CPU or memory usage, leading to a DoS condition that disrupts the availability of the application.

It is crucial to address XPath Injection vulnerabilities to ensure the integrity, confidentiality, and availability of XML-based applications and the data they handle.