Php Xpath Format String Injection
Description
Detects potential XPath injection vulnerabilities in PHP applications where unvalidated user input could be used in XPath queries. This vulnerability allows attackers to modify XPath expressions to access unauthorized data or manipulate query logic, potentially exposing sensitive XML data.
Detection Strategy
• Identifies PHP function calls that execute XPath queries
• Checks if the function call uses dangerous XPath expressions or operations
• Analyzes function arguments to determine if they accept unvalidated external input
• Reports a vulnerability when a function using XPath expressions accepts potentially tainted input without proper validation
Vulnerable code example
<?php
$xml_string = '<users><user id="1"><username>admin</username><password>secret</password></user></users>';
$dom = new DOMDocument();
$dom->loadXML($xml_string);
$xpath = new DOMXPath($dom);
// SOURCE: User input from $_GET...✅ Secure code example
<?php
$xml_string = '<users><user id="1"><username>admin</username><password>secret</password></user></users>';
$dom = new DOMDocument();
$dom->loadXML($xml_string);
$xpath = new DOMXPath($dom);
// Cast user input to integer to prevent XPath injection...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.