This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Periodic Table of Vulnerabilities - XPath/XQuery Injection

From OWASP
Jump to: navigation, search

Return to Periodic Table Working View

XPath/XQuery Injection

Root Cause Summary

The application unsafely incorporates user data into an XQuery or XPath pattern which can change the logic of the query.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

The framework should provide a safe wrapper for XML search operations which canonicalizes and parameterizes patterns or avoids injection pitfalls altogether. Use only safe XQuery and XPath libraries or a subset of those libraries which is not vulnerable to injection.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

None

References

OWASP Top 10 2010 - A1 Injection
XPath Injection
XQuery Injection (WASC)