[WEB SECURITY] question about parameterized query for XPATH mitigation

Eugene Kuznetsov kuznetso at gmail.com
Wed Aug 5 23:10:43 EDT 2009

So one thing to note is that this is not just a matter for XML databases
-- any system that uses an XPath or XSLT engine in the wrong way will be

The description at the URL is a bit confusing. I think your question is
about how the java mitigation example is supposed to work? The point is
that they provide a custom variable resolver than prevents any variables
other than the expected ones from getting mapped and ensures the
untrusted values are never processed as part of parsing the Xpath
expression. Now, whether the XPath/XSLT/XQuery engine will do all that
correctly, waht it will do if it gets a 65000 byte long string as input,
etc., those are all different matters. 

On Wed, 2009-08-05 at 11:33 -0500, mhellman at taxandfinance.com wrote:
> I can't quite get my teeny brain around how parameterized queries work for
> XPATH mitigation. I'm clearly missing something obvious. I am using the
> example found here:
> http://capec.mitre.org/data/definitions/83.html
> The example seems to have a few typos (why would providing malicious
> password input change the username part of the expression?), but that's
> not the point.
> When I think about prepared statements and bind variables relative to SQL
> injection, my understanding is that the prepared statement is
> compiled/processed separately from the variables. The XPATH example above
> doesn't seem to have the same level of separation.  The evil value seems
> to be assigned to a variable and then used in the compile statement. If
> the password contained something like:
> " or "1"="1
> wouldn't it result in a manipulated expression?  TIA,
> Matt

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list