Java Xpath Injection Via Concat
Description
Detects unsafe XPath injection vulnerabilities in Java applications where user-controlled input is concatenated directly into XPath queries. This can allow attackers to modify the XPath query structure and potentially extract unauthorized data or bypass authentication checks.
Detection Strategy
• Identifies calls to XPath evaluate() methods in Java code
• Checks if the XPath query string contains or is built using user-controlled input
• Reports a vulnerability when user input is used in XPath queries without proper sanitization or parameterization
• Focuses on string concatenation patterns where user data is directly embedded in XPath expressions
Vulnerable code example
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathFactory;
import javax.servlet.http.HttpServletRequest;
import org.w3c.dom.Document;
public void processXPath(HttpServletRequest request, Document xmlDocument) {
String userInput = request.getParameter("id");
...✅ Secure code example
import javax.xml.xpath.*;
import javax.servlet.http.HttpServletRequest;
import org.w3c.dom.Document;
public void processXPath(HttpServletRequest request, Document xmlDocument) {
String userInput = request.getParameter("id");
XPathFactory xpf = XPathFactory.newInstance();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.