Xpath Injection in Dynamodb
How Xpath Injection Manifests in Dynamodb
XPath injection in DynamoDB contexts typically occurs when developers construct DynamoDB query parameters using untrusted input without proper sanitization. While DynamoDB uses JSON-based query structures rather than XPath syntax, the injection patterns emerge when developers build DynamoDB API calls dynamically based on user input.
A common vulnerability pattern appears in DynamoDB's Query and Scan operations where filter expressions are constructed. Consider this vulnerable code:
const params = {
TableName: 'Users',
KeyConditionExpression: 'username = :username',
ExpressionAttributeValues: {
':username': userInput
}
};
The issue becomes apparent when developers concatenate user input into more complex expressions. A malicious user could supply input like:
admin" OR begins_with(password, "aThis transforms the query into:
KeyConditionExpression: 'username = "admin" OR begins_with(password, "a"'
Resulting in unauthorized data exposure across multiple records.
Another DynamoDB-specific injection vector involves the FilterExpression parameter. Developers often build these expressions dynamically:
let filter = 'age > :age';
if (userInput.department) {
filter += ' AND department = "' + userInput.department + '"';
}
An attacker could supply: IT" OR begins_with(ssn, "123") to bypass authorization checks and access sensitive data.
Global Secondary Indexes (GSI) queries present additional risks. When constructing queries across multiple attributes, developers might build expressions like:
KeyConditionExpression: 'GSI1Key = :key AND ' + dynamicCondition
Where dynamicCondition incorporates user input without validation.
Dynamodb-Specific Detection
Detecting XPath injection patterns in DynamoDB requires analyzing how query parameters are constructed and executed. The middleBrick API security scanner identifies these vulnerabilities through several DynamoDB-specific checks.
middleBrick's black-box scanning approach tests DynamoDB endpoints by sending crafted payloads to API routes that likely interact with DynamoDB. The scanner examines responses for indicators of successful injection, such as:
- Unexpected data volume in responses
- Response times that suggest full table scans vs indexed queries
- Error messages containing database-specific information
- Access to records outside the authenticated user's scope
- Cross-tenant data exposure
For DynamoDB specifically, middleBrick tests common injection patterns:
// Test for expression injection
payload = 'admin" OR contains(email, "@") AND begins_with(password, "pass")'
// Test for boolean logic manipulation
payload = 'user" OR (attribute_exists(ssn) AND attribute_not_exists(deleted_at))'
// Test for type confusion
payload = '" OR (size(password) > 0 AND contains(role, "admin"))'
The scanner also analyzes OpenAPI specifications to identify DynamoDB operations that accept dynamic expressions. It flags API endpoints where:
- Query parameters are directly used in
FilterExpressionorKeyConditionExpression - User input appears in
ExpressionAttributeNamesorExpressionAttributeValueswithout validation - GSI queries accept dynamic attribute names
- Batch operations construct keys from user input
middleBrick's LLM security module adds another layer by detecting if AI/ML endpoints that interact with DynamoDB are vulnerable to prompt injection attacks that could manipulate database queries through system prompt leakage.
Dynamodb-Specific Remediation
Securing DynamoDB queries against injection requires using the service's built-in parameterization features rather than string concatenation. Here are DynamoDB-specific remediation patterns:
1. Use Parameterized Expressions
Instead of concatenating user input, always use parameterized expressions with placeholders:
// Vulnerable
const params = {
TableName: 'Users',
KeyConditionExpression: 'username = "' + userInput + '"',
};
// Secure
const params = {
TableName: 'Users',
KeyConditionExpression: 'username = :username',
ExpressionAttributeValues: {
':username': userInput
}
};
2. Validate Input Types
Ensure user input matches expected data types before using in queries:
function validateInput(input, expectedType) {
const typeMap = {
string: v => typeof v === 'string',
number: v => typeof v === 'number' && !isNaN(v),
boolean: v => typeof v === 'boolean'
};
if (!typeMap[expectedType](input)) {
throw new Error(`Invalid input type: expected ${expectedType}`);
}
return input;
}
// Usage
const safeUsername = validateInput(userInput.username, 'string');
const safeAge = validateInput(userInput.age, 'number');
3. Use IAM Policies for Data Filtering
Implement row-level security using IAM policies with condition expressions:
const params = {
TableName: 'Users',
KeyConditionExpression: 'GSI1Key = :key',
FilterExpression: '#user_id = :user_id',
ExpressionAttributeNames: {
'#user_id': 'user_id'
},
ExpressionAttributeValues: {
':user_id': userId,
':key': partitionKeyValue
}
};
4. Implement Whitelist Validation
For dynamic queries, validate attribute names against a whitelist:
const allowedAttributes = ['username', 'email', 'age', 'department'];
function buildSafeFilterExpression(userInput) {
const conditions = [];
const attributeValues = {};
const attributeNames = {};
Object.keys(userInput).forEach((key, index) => {
if (!allowedAttributes.includes(key)) {
throw new Error(`Invalid attribute: ${key}`);
}
const valueKey = `:${key}${index}`;
const nameKey = `#${key}`;
conditions.push(`${nameKey} = ${valueKey}`);
attributeValues[valueKey] = userInput[key];
attributeNames[nameKey] = key;
});
return {
FilterExpression: conditions.join(' AND '),
ExpressionAttributeValues: attributeValues,
ExpressionAttributeNames: attributeNames
};
}
5. Use DynamoDB's Built-in Functions Safely
When using functions like begins_with, contains, or size, ensure parameters are hardcoded or properly validated:
const params = {
TableName: 'Users',
IndexName: 'EmailIndex',
KeyConditionExpression: 'email = :email',
FilterExpression: 'begins_with(last_login, :date) AND account_status = :status',
ExpressionAttributeValues: {
':email': userInput.email,
':date': '2024-01',
':status': 'active'
}
};
6. Implement Rate Limiting and Monitoring
Even with proper parameterization, monitor for unusual query patterns:
const rateLimiter = new RateLimiter({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
// Monitor query patterns
const queryMonitor = new QueryMonitor({
suspiciousPatterns: [
'OR',
'AND NOT',
'EXISTS(',
'attribute_exists('
]
});