logo

Database

Java User Input Xquery Injection

Description

Detects XQuery injection vulnerabilities in Java applications using the Saxon XQuery processor where user input could be executed as part of an XQuery expression. This can allow attackers to inject malicious XQuery code that could lead to information disclosure or data manipulation.

Weakness:

014 - Insecure functionality

Category: Functionality Abuse

Detection Strategy

    Application must import Saxon XQuery classes (net.sf.saxon.xqj.SaxonXQDataSource)

    Application must use Java XQuery API classes (javax.xml.xquery.*)

    Code contains calls to executeQuery() method

    The XQuery expression string contains or is derived from untrusted user input

    The expression is passed directly to executeQuery without proper sanitization or parameterization

Vulnerable code example

import javax.xml.xquery.*;
import net.sf.saxon.xqj.SaxonXQDataSource;

public XQResultSequence processUserQuery(String userInput) throws Exception {
    XQDataSource ds = new SaxonXQDataSource();
    XQConnection conn = ds.getConnection();
    
    // VULNERABLE: Direct concatenation of user input into XQuery...

✅ Secure code example

import javax.xml.xquery.*;
import javax.xml.namespace.QName;
import net.sf.saxon.xqj.SaxonXQDataSource;

public XQResultSequence processUserQuery(String userInput) throws Exception {
    XQDataSource ds = new SaxonXQDataSource();
    XQConnection conn = ds.getConnection();
    ...