HIGH xpath injectionjwt tokens

Xpath Injection with Jwt Tokens

Scan your API now

How Xpath Injection Manifests in Jwt Tokens

Xpath injection in Jwt tokens occurs when applications use JWT claims to construct XPath queries without proper sanitization. Attackers can manipulate token claims to alter query logic and extract unauthorized data from XML databases.

Common Jwt token claims vulnerable to XPath injection:

  • sub (subject) - often used as user identifier in XPath queries
  • role - used for authorization checks
  • email - used to fetch user-specific data

Attack Pattern 1: BOLA via XPath

// Vulnerable code - attacker can manipulate sub claim to access other users' data
const jwt = require('jsonwebtoken');
const xpath = require('xpath');
const dom = require('xmldom').DOMParser;

function getUserData(token) {
  const decoded = jwt.verify(token, process.env.JWT_SECRET);
  const doc = new dom().parseFromString(xmlData);
  
  // Attacker controls decoded.sub and can inject XPath
  const xpathQuery = `//users[user_id='${decoded.sub}']`;
  const result = xpath.select(xpathQuery, doc);
  return result[0];
}

Attack Pattern 2: Authentication Bypass

// Vulnerable admin check - attacker can inject XPath to bypass role validation
function isAdmin(token) {
  const decoded = jwt.verify(token, process.env.JWT_SECRET);
  const doc = new dom().parseFromString(xmlData);
  
  // Attacker can set role claim to: 'admin' or '1'='1'
  const xpathQuery = `//users[user_id='${decoded.sub}' and role='${decoded.role}']`;
  const result = xpath.select(xpathQuery, doc);
  return result.length > 0;
}

Real-world impact: CVE-2021-39177 demonstrated how JWT claims used in XPath queries led to complete data exposure in enterprise applications.

Jwt Tokens-Specific Detection

Detecting XPath injection in JWT implementations requires examining how token claims interact with XML data access patterns.

Code Review Indicators:

  • Direct interpolation of JWT claims into XPath queries
  • XPath queries constructed using string concatenation with user-controlled data
  • XML data sources accessed using JWT claims as identifiers

middleBrick Scanning Approach:

middleBrick's black-box scanner tests Jwt token endpoints by:

  1. Submitting JWTs with crafted claims containing XPath injection payloads
  2. Monitoring XML database responses for data leakage
  3. Analyzing error messages that reveal XML structure

Automated Testing with middleBrick CLI:

# Scan Jwt token endpoint for XPath injection vulnerabilities
middlebrick scan https://api.example.com/auth --token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

Manual Testing Techniques:

# Test with XPath injection payloads in JWT claims
JWT="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.YOUR_SIGNATURE"

# Payload examples to test:
# 1. ' or '1'='1
# 2. ' and role='admin' and '1'='1
# 3. ' union select * from users where '1'='1

middleBrick's Property Authorization check specifically flags when JWT claims are used to construct database queries without proper validation.

Jwt Tokens-Specific Remediation

Fixing XPath injection in JWT implementations requires input validation and query parameterization.

Remediation Pattern 1: Input Validation

const jwt = require('jsonwebtoken');
const xpath = require('xpath');
const dom = require('xmldom').DOMParser;

function validateJwtClaim(claim, type) {
  switch(type) {
    case 'userId':
      // Only allow alphanumeric user IDs
      return /^[a-zA-Z0-9_-]+$/.test(claim);
    case 'role':
      // Validate against known roles
      const validRoles = ['user', 'admin', 'moderator'];
      return validRoles.includes(claim);
    default:
      return false;
  }
}

function getUserData(token) {
  const decoded = jwt.verify(token, process.env.JWT_SECRET);
  
  if (!validateJwtClaim(decoded.sub, 'userId')) {
    throw new Error('Invalid user ID format');
  }
  
  const doc = new dom().parseFromString(xmlData);
  const xpathQuery = `//users[user_id='${decoded.sub}']`;
  const result = xpath.select(xpathQuery, doc);
  return result[0];
}

Remediation Pattern 2: Parameterized XPath Queries

const xpath = require('xpath');
const dom = require('xmldom').DOMParser;

function getUserDataSafe(token) {
  const decoded = jwt.verify(token, process.env.JWT_SECRET);
  
  // Use XPath variables instead of string interpolation
  const doc = new dom().parseFromString(xmlData);
  const select = xpath.useNamespaces({'x': 'http://example.com/ns'});
  
  // Bind user_id as a parameter
  const result = select(
    '//users[user_id=$user_id]/data',
    doc,
    null,
    { user_id: decoded.sub }
  );
  
  return result[0];
}

Remediation Pattern 3: Whitelist-Based Access Control

const jwt = require('jsonwebtoken');

// Pre-computed lookup instead of XPath queries
const userDataMap = {
  'user123': { name: 'John Doe', role: 'user' },
  'admin456': { name: 'Jane Smith', role: 'admin' }
};

function getUserDataSecure(token) {
  const decoded = jwt.verify(token, process.env.JWT_SECRET);
  
  // Direct lookup - no XPath involved
  const userData = userDataMap[decoded.sub];
  if (!userData) {
    throw new Error('User not found');
  }
  
  return userData;
}

middleBrick Pro Plan Advantage: Continuous monitoring can automatically scan your Jwt token endpoints on a schedule, alerting you if new XPath injection vulnerabilities appear after code changes.

Scan your API now Free API security scan

Frequently Asked Questions

Can XPath injection in JWT tokens lead to authentication bypass?
Yes, if JWT claims are used in XPath queries for authorization checks. Attackers can inject payloads like ' or '1'='1 to make any user appear as an admin. The vulnerable code constructs queries like //users[user_id='X' and role='Y'] where X and Y are JWT claims, allowing logical manipulation.
How does middleBrick detect XPath injection in JWT implementations?
middleBrick submits JWTs with crafted claims containing XPath injection payloads and monitors responses. It tests for data leakage, error messages revealing XML structure, and unauthorized data access. The scanner's Property Authorization check specifically flags when JWT claims are used to construct database queries without proper validation.

Related Pages

Xpath Injection in APIsLearn about XPath injection vulnerabilities in APIs, how attackers exploit them, detection methods, and prevention stratJwt Tokens API SecurityJwt Token security guide covering implementation mechanisms, common misconfigurations, and hardening best practices. LeaXpath Injection on AzureLearn how Xpath Injection affects Azure applications, detection methods using middleBrick, and Azure-specific remediatioXpath Injection on AwsXPath injection in Aws environments: attack patterns, detection with middleBrick CLI/GitHub Action, and Aws-specific remGdpr: Xpath InjectionXPath Injection risks personal data breaches under GDPR. Learn attack patterns, detection via middleBrick, and secure coCis: Xpath InjectionLearn how case insensitivity (Cis) enables XPath injection attacks, how middleBrick detects these flaws via black-box scIso 27001: Xpath InjectionLearn how ISO 27001 relates to XPath injection risks, detection via black-box scanning, and secure remediation using parHipaa: Xpath InjectionHipaa compliance requires strict PHI protection, but Xpath Injection in APIs can bypass access controls to expose patienXpath Injection in Buffalo with Jwt TokensLearn how XPath Injection can occur with JWT tokens in Buffalo, and apply concrete code fixes to validate claims and avoXpath Injection in Adonisjs with Jwt TokensLearn how XPath Injection combines with JWT tokens in AdonisJS, with concrete remediation examples and secure JWT handliXpath Injection in Axum with Jwt TokensXPath Injection in Axum using JWT tokens: risks, examples, and remediation with concrete Rust code and JWT handling guidXpath Injection in Actix with Jwt TokensXpath Injection in Actix with JWT tokens: risks, exploitation via claims, and secure validation and XPath filtering patt