The way most web apps defend themselves against DOM-based Cross-Site Scripting is by validating input that later on is written into the DOM. Sometimes, web apps request data from APIs that is trusted because it didn't come from the user, so it isn't validated. This post will show a trick for tampering with data provided by APIs that didn't come from the user by using XPath injection. Since the data is not validated you can achieve DOM-based XSS.
This attack can be useful because implementations of XPath 1.0 have a very limited attack surface. Only with XPath 2.0 and XPath 3.1 more critical attacks become a possibility. Implementations of XPath 2.0 and 3.1 are not very popular so most web apps out there use version 1.0.
Since a lot of people don't know XPath very well, I'll provide the basics to demonstrate how XPath works in order to know how to exploit it.
The first step to scan a web app against XPath injections is by using boolean based conditions such as the followings:
/vulnerable_page?id=1' and '1'='1
/vulnerable_page?id=1' and '1'='0
/vulnerable_page?id=1" and "1"="1
/vulnerable_page?id=1' and "1"="0
/vulnerable_page?id=1 and 1=1
/vulnerable_page?id=1 and 1=0
