Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Xpath injection issue because of the the word "xpath" in the response

Yogesh | Last updated: Mar 31, 2022 09:19AM UTC

The string 'XPath' happens to appear in our HTML response as a part of the Google analytics payload and that section has nothing to do with XML or XPATH. In fact, we are returning the word "XPath" explicitly in the response). We don't use XML or XPath for data storage (although we do use XMLs to hold store configurations). Request: GET /?store=001 HTTP/1.1 Host: abc.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: https://example.com/' <---- See the quote added here Response: HTTP/1.1 200 OK Server: nginx Date: Wed, 23 Mar 2022 05:52:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 166794 Connection: close Vary: Accept-Encoding Set-Cookie: PHPSESSID=57mljo8alveaffd16f066mkgnv; expires=Wed, 23-Mar-2022 06:52:36 GMT; Max-Age=3600; path=/; domain=m2uat.surplusfurniture.com; secure; HttpOnly; SameSite=Lax Pragma: no-cache Cache-Control: max-age=0, must-revalidate, no-cache, no-store Expires: Tue, 23 Mar 2021 05:52:36 GMT X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN vStore: abc.com X-Host: abc.com Accept-Ranges: bytes Access-Control-Allow-Origin: * Snip <script type="application/ld+json">{"@context":"http:\/\/schema.org\/","@type":"WebPage","speakable":{"@type":"SpeakableSpecification","cssSelector":[".cms-content"],"xpath":["\/html\/head\/title"]}}</script> Snip Please note that in the response Snip, the word "XPath" is returned as a part of Google analytics payload. Just looking for reassurance that these are in fact, false positives.

Liam, PortSwigger Agent | Last updated: Mar 31, 2022 12:02PM UTC

Hi Yogesh. This looks like a false positive. If you are certain XML data is not used by your application, you can be almost sure that the XPath injection vulnerability is a false positive since it is just coincidentally displaying the string "xPaTh' in the response. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.