Javascript Dynamic Xpath Injection
Description
Detects JavaScript XPath injection vulnerabilities where user input is insecurely used to construct dynamic XPath expressions. This can allow attackers to manipulate XPath queries to access unauthorized data or modify query behavior.
Detection Strategy
• Identifies JavaScript code that constructs XPath expressions using string concatenation or interpolation
• Checks if any user-controlled input (e.g. parameters, form data, URL parameters) flows into XPath expression strings
• Reports a vulnerability when unsanitized user input is used to build XPath queries in JavaScript
• Looks for common XPath APIs and methods like evaluate(), createExpression(), or xpath.select()
• Flags cases where proper XPath escaping or parameterization is not used
Vulnerable code example
const xpath = require('xpath');
const express = require('express');
const router = express.Router();
router.get('/users', (req, res) => {
const username = req.query.username;
// VULNERABLE: Direct concatenation of user input into XPath query...✅ Secure code example
const xpath = require('xpath');
const express = require('express');
const router = express.Router();
// Sanitize input by removing control chars and limiting length
function sanitizeInput(input = '', maxLength = 128) {
return String(input)
.replace(/[\x00-\x1F\x7F<>'"/]/g, '') // Remove control chars and risky symbols...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.