XPath Injection

User input concatenated into an XPath query (//user[name='<input>']) lets an attacker change the query shape. Less common than SQL, but identical attack class.

What it catches

Quote-escape sequences: ' or 1=1 or ', " or "1"="1
Predicate manipulation: ] or //*[
Function abuse: document(URL), system-property()
Comment markers

Sample payload

// Before
"admin' or 'a'='a"

// After (sanitize via sanitizeXpath)
"admin&apos; or &apos;a&apos;=&apos;a"

Configuration

import { sanitizeXpath, detectXpathInjection } from '@arcis/node';

if (detectXpathInjection(username)) {
  res.status(400).send('invalid input'); return;
}
const safe = sanitizeXpath(username);

References

OWASP XPath Injection
CWE-643

← PreviousLDAP Injection Next →CSRF