XPath Injection in CFML
ColdFusion Security Guide
With an XPath injection vulnerability an attack can alter an XPath query to point to a portion of the document that was not meant to be fetched.
A Vulnerable Example
Assume you have the following CFML / ColdFusion code:
The attacker can now manipulate the xpath query by passing in additional xpath syntax into the url.id variable
ColdFusion 11 Introduced the
encodeForXPath() function which can be used to wrap variables used within an xpath query.
We could attempt to fix our example above using:
If we knew that the
url.id should always be an integer we could also fix it by ensuring an integer is used like this:
- XPath Injection - OWASP XPath Injection Guide