XPath Injection

Applies to ReadyAPI 3.5, last modified on January 19, 2021

If you are familiar with ReadyAPI, you probably know about XPath since this is what you use for XPath assertions, content transfer, and so on.

XPath injection is similar to SQL injection, but it works with XML documents. Obviously, the user data is seldom stored in XML documents, so you might think it is safe. However, the system you are testing communicate with another system over web services, and in this case, XML files are largely used.

<login>
    string(//user[username/text()='' or '1' = '1' and password/text()='' or '1' = '1'])
</login>

As in the SQL injection example, you need the system to log you in. Probably, it will not work, but it is useful to know how the service will handle the error.

Also, try to test the XPath processor in the target system:

<login>
    string(//user[user_name/text()='' or '1' = '1' and password/text()='' or '1' = '1'])
</login>

In addition, check what will happen when the XPath processor gets a wrong node, or whether you will get an error message directly from Xalan, Saxon or Microsoft XPathNavigator.

Try various XPath expressions to retrieve as much information about the target system as possible.

See Also

Sample Login Tests

Highlight search results