OWASP Periodic Table of Vulnerabilities - XPath/XQuery Injection

Return to Periodic Table Working View

Root Cause Summary
The application unsafely incorporates user data into an XQuery or XPath pattern which can change the logic of the query.

Browser / Standards Solution
None

Perimeter Solution
None

Generic Framework Solution
The framework should provide a safe wrapper for XML search operations which canonicalizes and parameterizes patterns or avoids injection pitfalls altogether. Use only safe XQuery and XPath libraries or a subset of those libraries which is not vulnerable to injection.

Custom Framework Solution
None

Custom Code Solution
None

Discussion / Controversy
None