Xpath Injection in Fiber with Basic Auth

XPath Injection occurs when user input is concatenated into an XPath expression without proper sanitization or parameterization, allowing an attacker to alter query logic. In Fiber, a fast web framework for Node.js, this typically arises when an XML document is processed server-side—such as during SAML assertions, legacy configuration feeds, or custom XML-based APIs—and user-controlled data (e.g., a query parameter or header value) is used to construct the XPath.

When Basic Authentication is used in Fiber, credentials are often extracted from the Authorization header on each request. If the application parses XML (for example, using a third-party library) and builds an XPath expression by interpolating values from the request—such as a username extracted from Basic Auth or a parameter from the query string—an attacker can inject XPath syntax. For example, a username like admin' or '1'='1 could change the intent of an XPath lookup, potentially bypassing intended access controls or retrieving sensitive nodes from the XML document.

This combination is notable because Basic Auth credentials are base64-encoded but not encrypted; they are easily decoded by an attacker observing network traffic or inspecting request headers. Even if the credentials themselves are not directly used in XPath construction, the associated user identity extracted from them may be. If the application relies on a single XML document to enforce authorization (for example, an in-memory user list stored as XML), an injected XPath can return unintended nodes, effectively escalating privileges or bypassing authentication checks. Because XPath lacks parameterized query support in many JavaScript libraries, concatenation remains common, making injection feasible.

Real-world attack patterns mirror those described in the OWASP API Top 10 and broader web security literature. For example, an attacker might submit an XPath expression in a query parameter that causes the server to return all user nodes, exposing emails or roles. In a CI/CD context, scanning with middleBrick can detect such injection points through its unauthenticated black-box checks and its OpenAPI/Swagger analysis, which cross-references spec definitions with runtime behavior to highlight risky parameter handling.

Because Fiber does not enforce a particular XML parsing library, developers must ensure that any XPath construction uses parameterized APIs or strict input validation. middleBrick’s checks for Input Validation and Property Authorization are designed to surface these risks, providing prioritized findings with severity and remediation guidance. The scanner runs 12 security checks in parallel and returns a letter-grade risk score in 5–15 seconds, helping teams identify XPath issues early without requiring credentials or agent installation.

To mitigate XPath Injection when using Basic Authentication in Fiber, avoid constructing XPath expressions through string concatenation with user-controlled data. Instead, use parameterized XPath methods where available, or normalize inputs strictly. Below are concrete code examples showing vulnerable patterns and their secure counterparts.

First, a vulnerable Fiber route that demonstrates the problem:

const express = require('express'); // Note: Fiber is inspired by Express; patterns align
const app = express();
const parseAuthorization = require('basic-auth');
const { parseString } = require('xml2js');

app.get('/user', (req, res) => {
  const user = parseAuthorization(req);
  if (!user || !user.pass) {
    return res.status(401).send('Auth required');
  }
  const username = user.name; // extracted from Basic Auth
  // Vulnerable: username directly interpolated into XPath
  const xpath = `//user[name='${username}']`;
  // Assume xmlData is loaded and xmldoc is an XML document object
  const result = evaluateXPath(xmlData, xpath); // hypothetical function
  if (!result) return res.status(403).send('Forbidden');
  res.json({ role: result.role });
});

In this example, an attacker can supply a username such as admin' or '1'='1 to manipulate the XPath and potentially authenticate as any user or access unauthorized data.

A secure approach uses strict allowlisting and avoids dynamic XPath construction:

const allowedRoles = new Set(['admin', 'user', 'guest']);

app.get('/user', (req, res) => {
  const user = parseAuthorization(req);
  if (!user || !user.pass) {
    return res.status(401).send('Auth required');
  }
  const username = user.name;
  // Enforce allowlist for usernames or roles
  if (!allowedRoles.has(username)) {
    return res.status(403).send('Forbidden');
  }
  // Use a parameterized or compiled XPath if the library supports it
  const compiled = compileXPath('//user[name=$name]');
  const result = evaluateXPathWithParams(compiled, { name: username });
  if (!result) return res.status(403).send('Forbidden');
  res.json({ role: result.role });
});

Key remediation steps:

• Do not concatenate user input into XPath strings; use parameterized APIs or prepared expressions if your XML library supports them.
• Implement strict allowlists for identifiers extracted from authentication contexts (e.g., usernames from Basic Auth).
• Validate and normalize inputs before using them in any query construction, and prefer JSON-based APIs over XML where feasible to reduce complexity.
• Apply defense-in-depth by rate limiting and monitoring for unusual XPath patterns, which can be surfaced by middleBrick’s Rate Limiting and Data Exposure checks.

Organizations using the Pro plan can enable continuous monitoring to detect regressions, while those on the free tier can run on-demand scans via the CLI (middlebrick scan <url>) to validate remediation. The GitHub Action can enforce a minimum score threshold before merging, and the MCP Server allows scanning APIs directly from AI coding assistants during development.