cwe-643-xpath-injection

star 1

Use this skill when you need to remediate CWE-643 (XPath Injection) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing xpath injection issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-643-xpath-injection description: Use this skill when you need to remediate CWE-643 (XPath Injection) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing xpath injection issues. version: 1.0.0 license: MIT tags:

  • security

  • java

  • cwe-643

  • remediation

  • sast

  • xpath-injection

  • xml

  • injection

CWE-643 XPath Injection

Description

XPath Injection

Reference: https://cwe.mitre.org/data/definitions/643.html

OWASP Category: A03:2021 – Injection

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: String concatenation in XPath
String username = request.getParameter("user");
String xpath = "//users/user[name='" + username + "']/password";
XPathExpression expr = xPath.compile(xpath);
NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);

Why it's vulnerable: This pattern is vulnerable to XPath Injection

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use XPath variables (parameterized)
String username = request.getParameter("user");

// Create a variable resolver
XPath xPath = XPathFactory.newInstance().newXPath();
xPath.setXPathVariableResolver(new XPathVariableResolver() {
    @Override
    public Object resolveVariable(QName variableName) {
        if ("username".equals(variableName.getLocalPart())) {
            return username;  // Safely bound
        }
        return null;
    }
});

// Use variable reference instead of concatenation
String xpath = "//users/user[name=$username]/password";
XPathExpression expr = xPath.compile(xpath);
NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);

Why it's secure: Implements proper protection against XPath Injection

Detection Pattern

Look for these patterns in your codebase:

# Find XPath with concatenation
grep -rn "xPath.compile\|XPathExpression" --include="*.java" | grep "\\+"

Remediation Steps

  1. Use XPathVariableResolver for parameterized queries

  2. Reference variables with $varname syntax

  3. Validate input against expected patterns

  4. Consider using typed XML libraries instead of XPath

Key Imports


import javax.xml.xpath.XPath;

import javax.xml.xpath.XPathVariableResolver;

import javax.xml.namespace.QName;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-643 vulnerability
Resolve XPath Injection issue
Secure this Java code against xpath injection
SAST reports CWE-643

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-643-xpath-injection
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →