SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-643 XPath Injection

Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 4 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged XPath being constructed from untrusted input. This is the same core risk as CWE-91, but commonly appears in "XML query/filter" helper functions where developers dynamically stitch together XPath fragments.

Why it matters

XPath injection can expose or alter XML data.

Safer examples

1) Don't concatenate predicates from user input

If you need "filters", support a small allowlisted set of fields/operators and map them to safe expressions.

2) Validate inputs to strict formats

IDs/usernames should match tight allowlists (see CWE-20 / CWE-86).

import re

if not re.fullmatch(r"[a-zA-Z0-9_-]{1,64}", user_id):
    raise ValueError("Invalid id")

3) Use parameterization/variables where supported

Many XPath engines support variables/bindings, use those instead of string concatenation (see CWE-91).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.