Typescript Dynamic Xpath Injection
Description
Detects potential XPath injection vulnerabilities in TypeScript code where user input is dynamically concatenated into XPath queries without proper sanitization. This could allow attackers to modify XPath expressions and access or manipulate unintended data in XML documents.
Detection Strategy
• Identifies XPath query operations in TypeScript code that dynamically construct expressions using string concatenation or template literals
• Traces data flow to detect when user-controllable input (e.g. HTTP parameters, form data) flows into XPath queries
• Reports a vulnerability when user input can influence an XPath query without adequate input validation or escaping
• Checks for unsafe patterns like direct string concatenation in methods like evaluate(), selectNode(), and other XPath processing functions
Vulnerable code example
const xpath = require('xpath');
function authenticateUser(username, password) {
// VULNERABLE: User input directly concatenated into XPath query
const xpathQuery = `//users/user[name='${username}' and password='${password}']`;
const result = xpath.select(xpathQuery, xmlDoc);
return result;
}✅ Secure code example
const xpath = require('xpath');
function clean(input) {
// Sanitize input by removing control chars and limiting length
return String(input || '').replace(/[\x00-\x1F\x7F]/g, '').slice(0, 128);
}
function authenticateUser(username, password) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.