Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Is XPath injection a false positive?

priya | Last updated: Jun 22, 2021 03:12PM UTC

In pen test report using the Burpsuite getting below report: 1. XPath injection 1.1. https://domain.com/api/v2/create_playlist_videos [URL path filename] 1.2. https://domain.com/api/v2/create_playlist_videos [URL path folder 2] 1.3. https://domain.com/api/v2/create_playlist_videos [URL path folder 3] 1.4. https://domain.com/api/v2/favourite [URL path filename] 1.5. https://domain.com/api/v2/favourite [URL path folder 2] 1.6. https://domain.com/api/v2/favourite [URL path folder 3] The API response content type is JSON and XML-based query is not used anywhere in the application. Kindly guide me on this. Are these valid or false positive? if false-positive how to overcome this. sample API response: { "error":false, "statusCode":200, "status":"success", "message":"Playlist retrieved successfully", "response":{ "playlist_info":{ "_id":"XXXXXX", "name":"XXXX", "created_at":"2020-11-27 19:11:25" } } }

Uthman, PortSwigger Agent | Last updated: Jun 25, 2021 08:53AM UTC

Hi Priya, We do not offer consulting services, unfortunately. Can you please find further information on your issue below? - https://portswigger.net/kb/issues/00100600_xpath-injection - https://portswigger.net/web-security/dom-based/client-side-xpath-injection If XML is not used anywhere in the application then you may be correct in assuming that it is a false positive. However, I would strongly recommend confirming this with your development team.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.