Welcome to MSDN Blogs Sign in | Join | Help

XPath Injection attacks - the "other white meat"?

Everyone knows about securing apps from SQL injection attacks, but how many of you have given consideration to XPath injection protection?  

This (PDF:"Blind Xpath Injection") is a good introduction. A short excerpt shows why XPath injection can be more dangerous than it's SQL cousin:

 
This approach is even more powerful with XPath than it is with SQL, due to the following characteristics of XPath:
  • XPath 1.0 is a standard language. SQL has many dialects all based on a common, relatively weak syntax.
  • XPath 1.0 allows one to query all items of the database (XML objects). In some SQL dialects, it is impossible to query for some objects of the database
    using an SQL SELECT query (e.g. MySQL does not provide a table of tables ).
  • XPath 1.0 has no access control for the database , while in SQL, some parts of the database may be inaccessible due to lack of privileges to the application.


Take the general reasoning in the doc, add the lack of a native XPath equivalent to ADO.NET parameterized queries, and this has the potential to cause some major headaches in the future.

 

Published Wednesday, June 16, 2004 5:08 PM by Addys
Filed under:

Comments

# re: XPath Injection attacks - the "other white meat"?

Wednesday, June 16, 2004 6:51 PM by Bertrand Le Roy
On the other hand, you only risk information disclosure, whereas the dangers of SQL injection usually are the complete destruction of your database and/or taking control of the machine if the dba is careless enough.
So as usual, validate and escape user data, and don't store unencoded secrets in a xml file.

# re: XPath Injection attacks - the "other white meat"?

Thursday, June 17, 2004 1:51 AM by Addy Santo
You are correct, however I would suggest that theft of data is much more severe than a mere server crash. One is typically remedied by a simple restore operation, while the other is irreversible and cause serious monetary losses, not to mention tarnished reputations.

Do you think Valve would have been in worse shape if someone crashed their database instead of stealing the halflife 2 codebase? I doubt it.

# XPath Injection Attacks

Sunday, June 20, 2004 3:20 AM by paul.bz

# XPath Injection Attacks

Sunday, June 20, 2004 9:44 PM by SecureCoder by Anil John

# XPath Injection Attacks

Sunday, June 20, 2004 9:44 PM by SecureCoder by Anil John

# http://cyberforge.com/weblog/aniltj/

Wednesday, July 21, 2004 8:48 PM by TrackBack
http://cyberforge.com/weblog/aniltj/

# Santomania XPath Injection attacks the other white meat | Wood TV Stand

Sunday, May 31, 2009 7:23 PM by Santomania XPath Injection attacks the other white meat | Wood TV Stand

PingBack from http://woodtvstand.info/story.php?id=10067

# Santomania XPath Injection attacks the other white meat | Cast Iron Cookware

Wednesday, June 03, 2009 3:39 PM by Santomania XPath Injection attacks the other white meat | Cast Iron Cookware

PingBack from http://castironbakeware.info/story.php?title=santomania-xpath-injection-attacks-the-other-white-meat

New Comments to this post are disabled
 
Page view tracker