CWE-91 XML/XPath Injection
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged an XPath expression that is being built using untrusted input. XPath is like "SQL for XML"; if you concatenate strings, attackers can change the query logic.
Why it matters
XPath injection can expose or modify XML data.
- Data exposure: attackers can query unexpected nodes/attributes.
- Auth bypass if XML-backed auth/ACL checks rely on injectable XPath.
- Integrity issues if the injected expression controls updates or selections.
Safer examples
1) Use XPath variables / parameterization when supported (Python + lxml)
from lxml import etree
doc = etree.fromstring(xml_bytes)
user_id = user_input # still validate/allowlist expected format
nodes = doc.xpath("//user[@id=$id]", id=user_id)
2) Allowlist selectors instead of accepting raw XPath
If users are choosing "which field to search," map that choice to a known safe XPath snippet.
3) Prefer structured parsing over XPath for security decisions
For auth/ACL decisions, parse and compare explicit fields rather than evaluating user-influenced XPath.
How SiteShadow detects it (high level)
- Detects XPath evaluation APIs and checks whether the expression is derived from untrusted input.
- Flags cases where the XPath result gates auth/data access.
References
- CWE-91: https://cwe.mitre.org/data/definitions/91.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.