Xpath Injection on Aws
How Xpath Injection Manifests in Aws
XPath injection vulnerabilities in Aws environments typically emerge when user-supplied data is incorporated into XPath queries without proper sanitization. In Aws applications, this often occurs when querying XML data stored in services like Amazon DynamoDB (via XML exports), Amazon SimpleDB (legacy), or when processing XML configuration files for Aws services.
The most common manifestation involves user input being directly concatenated into XPath expressions. For example, an Aws Lambda function processing XML data might construct queries like:
const xpath = require('xpath');
const dom = require('xmldom').DOMParser;
exports.handler = async (event) => {
const userInput = event.username;
const doc = new dom().parseFromString(xmlData);
const xpathQuery = `//user[username='${userInput}']`;
const result = xpath.select(xpathQuery, doc);
return result;
};This code is vulnerable because an attacker can supply input like admin' or '1'='1, transforming the XPath query into:
//user[username='admin' or '1'='1']This always evaluates to true, potentially exposing all user data. In Aws contexts, this becomes particularly dangerous when the XML data contains Aws-specific information like IAM roles, S3 bucket configurations, or EC2 instance metadata.
Another Aws-specific scenario involves querying XML-based Aws service responses. When using the Aws SDK to retrieve service configurations, developers might parse the XML responses and construct XPath queries based on user input:
const AWS = require('aws-sdk');
const xpath = require('xpath');
const dom = require('xmldom').DOMParser;
const ec2 = new AWS.EC2();
exports.handler = async (event) => {
const instanceId = event.instanceId;
const params = { InstanceIds: [instanceId] };
const data = await ec2.describeInstances(params).promise();
const xml = new XMLSerializer().serializeToString(data);
const doc = new dom().parseFromString(xml);
const xpathQuery = `//Instances/Instance[InstanceId='${instanceId}']`;
const result = xpath.select(xpathQuery, doc);
return result;
};Attackers can exploit this by crafting instance IDs that break out of the intended query context, potentially accessing metadata about other instances or Aws service configurations they shouldn't have access to.
CloudFormation templates stored as XML present another attack vector. If user input influences XPath queries against CloudFormation stack data, attackers could extract sensitive information about infrastructure configurations, security group rules, or IAM policies.
Aws-Specific Detection
Detecting XPath injection in Aws environments requires both static analysis and runtime scanning. The middleBrick CLI provides Aws-specific detection by scanning Lambda functions, API Gateway endpoints, and other Aws services for XPath injection vulnerabilities.
Using middleBrick to scan Aws Lambda functions:
npx middlebrick scan https://your-aws-api-gateway-endpoint.com/api/user
# Or scan a specific Lambda function URL
npx middlebrick scan https://your-lambda-function.amazonaws.com/prodmiddleBrick's Aws-specific detection includes:
| Detection Type | What It Looks For | Aws Context |
|---|---|---|
| Static Analysis | String concatenation in XPath queries | Lambda function code, CloudFormation templates |
| Dynamic Testing | SQL-like injection patterns in XML queries | API Gateway endpoints, EC2 metadata queries |
| Configuration Review | Unsafe XML parsing configurations | Lambda execution roles, IAM policies |
For Aws developers, the GitHub Action integration provides continuous monitoring:
name: API Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run middleBrick Scan
uses: middlebrick/middlebrick-action@v1
with:
target_url: https://your-aws-api-gateway-endpoint.com/api
fail_below_score: 80
token: ${{ secrets.MIDDLEBRICK_TOKEN }}Manual detection techniques for Aws environments include:
- Review Lambda function code for XPath query construction patterns
- Check API Gateway integration responses for XML data exposure
- Audit CloudFormation templates for user input in XPath expressions
- Monitor CloudTrail logs for unusual XPath query patterns
- Test with payloads like
' or '1'='1,' and @admin='true, and' | //root
The middleBrick MCP Server allows Aws developers to scan APIs directly from their IDE:
# In Claude or Cursor
/scan https://your-aws-api-gateway-endpoint.com/api/user
# Results show XPath injection risk with specific line numbers and remediation stepsAws-Specific Remediation
Remediating XPath injection in Aws environments requires a defense-in-depth approach. The primary strategy is parameterized XPath queries, similar to prepared statements in SQL. For Aws Lambda functions using the xpath npm package:
const xpath = require('xpath');
const dom = require('xmldom').DOMParser;
exports.handler = async (event) => {
const userInput = event.username;
const doc = new dom().parseFromString(xmlData);
// Safe approach using parameter binding
const xpathQuery = `//user[username=$user]`;
const result = xpath.select(xpathQuery, doc, { user: userInput });
return result;
};Unfortunately, the standard xpath npm package doesn't support parameter binding natively. Aws developers should use safer alternatives or implement input validation:
const xpath = require('xpath');
const dom = require('xmldom').DOMParser;
function sanitizeXPathInput(input) {
// Remove special characters that could break XPath syntax
return input.replace(/['"]/g, '');
}
exports.handler = async (event) => {
const userInput = sanitizeXPathInput(event.username);
const doc = new dom().parseFromString(xmlData);
const xpathQuery = `//user[username='${userInput}']`;
// Additional safety: validate against expected pattern
if (!/^[a-zA-Z0-9_-]+$/.test(userInput)) {
throw new Error('Invalid username format');
}
const result = xpath.select(xpathQuery, doc);
return result;
};For Aws SDK interactions, use the built-in XML parsing with proper validation:
const AWS = require('aws-sdk');
const { XMLParser } = require('fast-xml-parser');
const ec2 = new AWS.EC2();
exports.handler = async (event) => {
const instanceId = event.instanceId;
// Validate instance ID format before use
if (!/i-[a-f0-9]{8,17}/.test(instanceId)) {
throw new Error('Invalid instance ID format');
}
const params = { InstanceIds: [instanceId] };
const data = await ec2.describeInstances(params).promise();
// Use safe XML parsing with schema validation
const parser = new XMLParser({ ignoreAttributes: false });
const xmlData = new XMLSerializer().serializeToString(data);
// Access data through parsed object, not XPath
const instances = parsed.DescribeInstancesResponse.reservationSet.item;
};For CloudFormation templates, use Aws SAM or CDK which provide safer abstractions:
// Using AWS CDK instead of raw XML/XPath
const cdk = require('@aws-cdk/core');
const lambda = require('@aws-cdk/aws-lambda');
class SecureStack extends cdk.Stack {
constructor(scope, id) {
super(scope, id);
// CDK handles resource configuration safely
new lambda.Function(this, 'MyFunction', {
runtime: lambda.Runtime.NODEJS_14_X,
code: lambda.Code.fromAsset('lambda'),
handler: 'index.handler'
});
}
}The middleBrick dashboard helps track remediation progress by showing:
- Current security score for each Aws API endpoint
- Specific XPath injection findings with line numbers
- Remediation status tracking across development teams
- Compliance mapping to OWASP API Top 10 (A4: XML External Entities)