« Mozilla Protocol Abuse | Main | Anti XSS using Ajax »

Avoid the dangers of XPath injection

"As new technologies emerge and become well established so do threats against those technologies. Blind SQL injection attacks are a well know and recognized form of code injection attack, but there are many other forms, some not so well documented or understood. An emerging code injection attack is the XPath injection attack, which takes advantage of the loose typing and forgiving nature of XPath parsers to allow malcontents to piggyback malicious XPath queries on URLs, forms, or other methods to gain access to privileged information and change it.

This article looks at how XPath attacks are usually carried out and provides an example in Java™ and XML environments. It discusses how to detect such threats, looks at what you can do to mitigate the threat, and finally discusses what you can do in response to a suspected penetration."

Article Link: http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!


Post a comment

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...







Remember personal info?