apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 07: Track J.5 + Track L.5 — XPATH_INJECTION corpus + XPath / DOM / lxml adapters

Browse source
This commit is contained in:
pitboss 2026-05-17 23:47:12 -05:00
parent b2eeaabb09
commit a32075a756
38 changed files with 2111 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

24
tests/dynamic_fixtures/xpath_injection/java/Vuln.java Normal file
View file

@ -0,0 +1,24 @@
// Phase 07 (Track J.5) Java XPATH_INJECTION vuln fixture.
//
// The function string-concatenates the attacker-controlled `name`
// directly into an XPath expression evaluated by
// `javax.xml.xpath.XPath.evaluate`. A payload like `alice' or '1'='1`
// rewraps the selector as `//user[@name='alice' or '1'='1']`,
// matching every <user> node in the staged document.
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
public class Vuln {
public static Object run(String name) throws Exception {
Document doc = DocumentBuilderFactory.newInstance()
.newDocumentBuilder()
.parse("xpath_corpus.xml");
XPath xp = XPathFactory.newInstance().newXPath();
String expr = "//user[@name='" + name + "']";
return xp.evaluate(expr, doc, XPathConstants.NODESET);
}
}