Xpath Injection with Api Keys
How Xpath Injection Manifests in Api Keys
Xpath injection in API keys contexts typically occurs when user-supplied API keys are used to construct XPath queries without proper sanitization. Attackers can manipulate API keys to extract unauthorized data from XML documents or APIs that process XML.
Consider an API endpoint that validates API keys using XPath:
const apiKey = req.headers['x-api-key'];
const xpathQuery = `//user[apiKey='${apiKey}']`;
const result = xmlDoc.evaluate(xpathQuery, xmlDoc, null, XPathResult.ANY_TYPE, null);
An attacker can craft an API key like:
validKey' or '1'='1
This transforms the query into:
//user[apiKey='validKey' or '1'='1']
The condition '1'='1' is always true, potentially returning all users' data or bypassing authentication entirely.
More sophisticated attacks can extract specific data:
validKey'/key/text()|//*|
This can cause the XPath engine to return the first key value, all elements, or trigger errors that leak system information.
In REST APIs, Xpath injection might appear when API keys are used to query XML-based configuration files or when XML is used for data exchange in API key validation workflows.
Api Keys-Specific Detection
Detecting Xpath injection in API key contexts requires examining how API keys are incorporated into XPath expressions. Key detection strategies include:
Static Analysis: Review code paths where API keys are used in XPath construction. Look for string concatenation without sanitization:
const query = `//user[apiKey='${req.headers['x-api-key']}']`;
Dynamic Testing: Submit API keys containing special characters and observe responses:
Test Cases:
- Single quote: api'key
- XPath functions: key' or starts-with(key, 'a') or '1'='1
- Boolean injection: key' or true() or '1'='1
- Comment injection: key' or 1=1 --
middleBrick Scanning: middleBrick's black-box scanning automatically tests for Xpath injection by submitting crafted payloads to API endpoints. The scanner evaluates XPath query construction patterns and identifies vulnerable endpoints without requiring source code access.
Runtime Monitoring: Log and monitor for unusual XPath error patterns or unexpected data access patterns when processing API keys.
Configuration Analysis: Check XML processing configurations for default behaviors that might enable injection, such as allowing external entity resolution or XPath 2.0 features.
Api Keys-Specific Remediation
Remediating Xpath injection in API key contexts requires multiple defensive layers:
1. Input Validation: Validate API keys against strict patterns before use:
const apiKeyPattern = /^[a-zA-Z0-9-_]{32,64}$/;
const apiKey = req.headers['x-api-key'];
if (!apiKeyPattern.test(apiKey)) {
return res.status(400).json({error: 'Invalid API key format'});
}
2. Parameterized XPath Queries: Use parameterized XPath expressions where supported:
// Using Saxon-HE Java library example
const xpath = new XPathFactory().newXPath();
const expr = xpath.compile(
"//user[apiKey=$apiKey]/data"
);
const result = expr.evaluate({
apiKey: req.headers['x-api-key']
});
3. Whitelist API Keys: Store API keys in a secure database and use ID-based lookup instead of XPath queries:
// Replace XPath with direct lookup
const validKey = await db.collection('apiKeys')
.findOne({key: req.headers['x-api-key'], active: true});
if (!validKey) {
return res.status(401).json({error: 'Invalid API key'});
}
4. Sanitize Inputs: Escape special characters in API keys before XPath use:
function sanitizeForXPath(input) {
return input.replace(/['"]/, '\$0');
}
const safeApiKey = sanitizeForXPath(req.headers['x-api-key']);
5. Use Alternative Data Formats: Where possible, avoid XML/XPath entirely in favor of JSON with proper query mechanisms:
// JSON-based API key validation
const user = await db.collection('users')
.findOne({apiKey: req.headers['x-api-key']});
6. Implement Rate Limiting: Add rate limiting to API endpoints to reduce the impact of injection attempts:
const rateLimiter = new RateLimiter({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});