XPath Injection in CFML
ColdFusion Security Guide

What are XPath injection attacks and how do you avoid them in your ColdFusion / Lucee code?
ColdFusion Developer Security Training Online Class

The Risk

With an XPath injection vulnerability an attack can alter an XPath query to point to a portion of the document that was not meant to be fetched.

A Vulnerable Example

Assume you have the following CFML / ColdFusion code:

xmlSearch(xmlDoc, "//person[@id=#url.id#]");

The attacker can now manipulate the xpath query by passing in additional xpath syntax into the url.id variable

Mitigation Techniques

ColdFusion 11 Introduced the encodeForXPath() function which can be used to wrap variables used within an xpath query.

We could attempt to fix our example above using:

xmlSearch(xmlDoc, "//person[@id=#encodeForXPath(url.id)#]");

If we knew that the url.id should always be an integer we could also fix it by ensuring an integer is used like this:

xmlSearch(xmlDoc, "//person[@id=#int(url.id)#]");

Additional Resources