SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-91 XML/XPath Injection

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged an XPath expression that is being built using untrusted input. XPath is like "SQL for XML"; if you concatenate strings, attackers can change the query logic.

Why it matters

XPath injection can expose or modify XML data.

Safer examples

1) Use XPath variables / parameterization when supported (Python + lxml)

from lxml import etree

doc = etree.fromstring(xml_bytes)
user_id = user_input  # still validate/allowlist expected format
nodes = doc.xpath("//user[@id=$id]", id=user_id)

2) Allowlist selectors instead of accepting raw XPath

If users are choosing "which field to search," map that choice to a known safe XPath snippet.

3) Prefer structured parsing over XPath for security decisions

For auth/ACL decisions, parse and compare explicit fields rather than evaluating user-influenced XPath.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.