[WEB SECURITY] question about parameterized query for XPATH mitigation

mhellman at taxandfinance.com mhellman at taxandfinance.com
Mon Aug 10 09:40:15 EDT 2009

I don't think I understood the custom variable resolver. I'm not much of a
coder and have never had to use XPath, but it looked like regular old
variable interpolation/concatenation to me.

The description here of XPathVariableResolver seems to help me get it:

If I understand it correctly, the $variables within the XPath expression
are "special". (i.e. "The XPath processor uses the XPathVariableResolver
to retrieve the value of a user defined variable").

> So one thing to note is that this is not just a matter for XML databases
> -- any system that uses an XPath or XSLT engine in the wrong way will be
> vulnerable.
> The description at the URL is a bit confusing. I think your question is
> about how the java mitigation example is supposed to work? The point is
> that they provide a custom variable resolver than prevents any variables
> other than the expected ones from getting mapped and ensures the
> untrusted values are never processed as part of parsing the Xpath
> expression. Now, whether the XPath/XSLT/XQuery engine will do all that
> correctly, waht it will do if it gets a 65000 byte long string as input,
> etc., those are all different matters.
> On Wed, 2009-08-05 at 11:33 -0500, mhellman at taxandfinance.com wrote:
>> I can't quite get my teeny brain around how parameterized queries work
>> for
>> XPATH mitigation. I'm clearly missing something obvious. I am using the
>> example found here:
>> http://capec.mitre.org/data/definitions/83.html
>> The example seems to have a few typos (why would providing malicious
>> password input change the username part of the expression?), but that's
>> not the point.
>> When I think about prepared statements and bind variables relative to
>> SQL
>> injection, my understanding is that the prepared statement is
>> compiled/processed separately from the variables. The XPATH example
>> above
>> doesn't seem to have the same level of separation.  The evil value seems
>> to be assigned to a variable and then used in the compile statement. If
>> the password contained something like:
>> " or "1"="1
>> wouldn't it result in a manipulated expression?  TIA,
>> Matt
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list