C Sharp Unvalidated Xpath Input
Description
Detects potential XPath injection vulnerabilities in C# code where unvalidated user input is used in XPath queries. This occurs when user-controlled data is passed directly to XPath.Evaluate() methods without proper validation or sanitization, allowing attackers to manipulate XML queries and potentially access unauthorized data.
Detection Strategy
• Identifies calls to XPath Evaluate() methods in C# code
• Checks if the XPath query parameters contain or are derived from user input (e.g. request parameters, form data)
• Reports a vulnerability when user-controlled data flows into XPath.Evaluate() without proper validation
• Focuses on method calls ending with '.Evaluate' that process XML data
• Examines both the XPath expression and its arguments for user input influence
Vulnerable code example
using System;
using System.Xml.XPath;
public class XPathExample {
public string GetUserSecret(string username) {
XPathDocument doc = new XPathDocument("users.xml");
XPathNavigator nav = doc.CreateNavigator();
...✅ Secure code example
using System;
using System.Xml.XPath;
public class XPathExample {
public string GetUserSecret(string username) {
XPathDocument doc = new XPathDocument("users.xml");
XPathNavigator nav = doc.CreateNavigator();
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.