Question

how can i solve XPath injection

0

Hello, I developed an application and we have a security team in our company. The security team tested out system and they noticed that my project has XPath injection bug. they told me extra Xpath is can be changed and manipulated. Actually i set access rules to all entities. But they still said that it is a security bug. i use data grid 2 component. when user write some word extra xpath added automatically Security team notes is; XPath Injection: The application doesn't securely bind the extraXpath input used in listing requests to the XPath predicate. This allows an attacker to bypass filters and list all records in the collection by injecting Boolean expressions/comparisons into the predicate. It's recommended to remove free-form expression fields like extraXpath, and if necessary, map client-selectable options to a predefined and limited set on the server. please help me

asked 2025-09-01

burak can dinçer

2 answers

Martin Koelewijn · Answer 1 · 2025-09-01

You cannot "solve" xpath injection. This is just the way Mendix works. But this shows that you cannot rely on xpath constraints on pages. Entity access should be configured at the database level (domain model). This way even with xpath injection users can't retrieve more data than they're allowed to see anyway. They will be able to circumvent constraints on the page, but that's not going to hurt security. If for example managers can see their employees somewhere in the application, but you made a page dedicated to showing employees who joined the organization less than a year ago, users will be able using xpath injection to show all their employees on that page, but not more than they're allowed to see according to entity access.

Adam Sterling · Answer 2 · 2025-09-02

Martin has this spot on. When explaining this to full stack developers / security teams, you need to explain that you have your:

Row level access security via the domain model
Then that data can be retrieved like an API with a lot of different GET parameters to filter down on.

The security lies in the access rules. Intercepting the request and changing the browser call is fine.

It's like saying:

Access rules = this user can only see projects that they are associated to
XPath Query = (access rules) + search for this project name