XPath Injection in CFML
ColdFusion Security Guide
What are XPath injection attacks and how do you avoid them in your ColdFusion / Lucee code?
The Risk
With an XPath injection vulnerability an attack can alter an XPath query to point to a portion of the document that was not meant to be fetched.
A Vulnerable Example
Assume you have the following CFML / ColdFusion code:
xmlSearch(xmlDoc, "//person[@id=#url.id#]");
The attacker can now manipulate the xpath query by passing in additional xpath syntax into the url.id variable
Mitigation Techniques
ColdFusion 11 Introduced the encodeForXPath() function which can be used to wrap variables used within an xpath query.
We could attempt to fix our example above using:
xmlSearch(xmlDoc, "//person[@id=#encodeForXPath(url.id)#]");
If we knew that the url.id should always be an integer we could also fix it by ensuring an integer is used like this:
xmlSearch(xmlDoc, "//person[@id=#int(url.id)#]");
Additional Resources
- XPath Injection - OWASP XPath Injection Guide