XPath Injection Attacks
" KNOWLEDGE IS FREE "
Website Security XPath Injection Attacks Methodology and Examples...
This will be not my responsibility to how you use this Process.
XPath Injection Attacks:
PREREQUISITE -
- Basic Programming Skills and Data manipulation in XML (Extensible Markup Language) and XPath.
- Basic Knowledge of Web Applications' Input Vulnerabilities and Sanitisation Methods
- Beginner level Understanding of Client/Server Communication Protocol and Authentication Procedure
SUGGESTED KNOWLEDGE -
- Intermediated Understanding of ASP.NET, JAVA and/or C# Code and Web Programming
PURPOSE -
- Attack used to Extract data from XML Databases/documents
- Manipulate Data from local/remote location to Server (Victim)
DEFINITIONS -
[1]"XPath injection is an attack targeting Web sites that create XPath queries from user-supplied data. If an application embeds unprotected data into an XPath query, the query can be altered so that it is no longer parsed in the manner originally intended. This can be done by bypassing the Web site authentication system and extracting the structure of one or more XML documents in the site."
[2]"XPath 1.0 is a language used to refer to parts of an XML document. It can be used directly by an application to query an XML document, or as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document."
Similar to SQL Injections, XPath injections manipulate data on XML databases. Therefore, an analogy can be created to relate the two injection methods. They share many things in common, such as the use of regex expressions, and, most importantly, their payload; in this case, to obtain data from a server locally, or in most cases remotely from the client.
Assuming, you know XML and XPATH, we're going to dive directly into the attack Methodology by using examples of exploitable vulnerabilities.
1ST EXAMPLE:
This will be not my responsibility to how you use this Process.
XPath Injection Attacks:
PREREQUISITE -
- Basic Programming Skills and Data manipulation in XML (Extensible Markup Language) and XPath.
- Basic Knowledge of Web Applications' Input Vulnerabilities and Sanitisation Methods
- Beginner level Understanding of Client/Server Communication Protocol and Authentication Procedure
SUGGESTED KNOWLEDGE -
- Intermediated Understanding of ASP.NET, JAVA and/or C# Code and Web Programming
PURPOSE -
- Attack used to Extract data from XML Databases/documents
- Manipulate Data from local/remote location to Server (Victim)
DEFINITIONS -
[1]"XPath injection is an attack targeting Web sites that create XPath queries from user-supplied data. If an application embeds unprotected data into an XPath query, the query can be altered so that it is no longer parsed in the manner originally intended. This can be done by bypassing the Web site authentication system and extracting the structure of one or more XML documents in the site."
[2]"XPath 1.0 is a language used to refer to parts of an XML document. It can be used directly by an application to query an XML document, or as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document."
Similar to SQL Injections, XPath injections manipulate data on XML databases. Therefore, an analogy can be created to relate the two injection methods. They share many things in common, such as the use of regex expressions, and, most importantly, their payload; in this case, to obtain data from a server locally, or in most cases remotely from the client.
Assuming, you know XML and XPATH, we're going to dive directly into the attack Methodology by using examples of exploitable vulnerabilities.
1ST EXAMPLE:
Similarities to SQL...
In SQL, we use regex expressions to "trick" the server, by passing (somewhat) malicious input to it, like:
if the login system was setup as follows:
Select * from users where LoginID=' ' and passwd=' '
we can exploit as such:
abc' or 1=1 --
and we'll have a payload or desired input query passed to the server to execute our input, thus making it be:
Select * from users where LoginID = 'abc' or 1=1 -- 'and passwd=' '
we commented out the password requirement, and passed only our LoginID, which turns out to be TRUE.
The Same concept applies to XML databases/documents with a XPath Injections...
That same code, when translated to XPath, becomes:
For the Insecure/exploitable Login System, accepts input as follows:
String(//users[LoginID/text()=' " + txtLoginID.Text + " ' and passwd/text()=' "+ txtPasswd.Text +" '])
Now, we type into the LoginID:
abc' or 1=1 or 'a'='b
Thus, also suppressing the need to type in a password, and turns our loginID into a valid one from the database/document in XML. Like:
String(//users[LoginID/text()='abc' or 1=1 or 'a'='b' and passwd/text()=''])
We get a payload/desired input query passed as:
LoginID='abc' or 1=1 or 'a'='b' and passwd/text()=' '
(which can also be represented, logically, as A OR B OR C AND D)
2ND EXAMPLE:
In SQL, we use regex expressions to "trick" the server, by passing (somewhat) malicious input to it, like:
if the login system was setup as follows:
Select * from users where LoginID=' ' and passwd=' '
we can exploit as such:
abc' or 1=1 --
and we'll have a payload or desired input query passed to the server to execute our input, thus making it be:
Select * from users where LoginID = 'abc' or 1=1 -- 'and passwd=' '
we commented out the password requirement, and passed only our LoginID, which turns out to be TRUE.
The Same concept applies to XML databases/documents with a XPath Injections...
That same code, when translated to XPath, becomes:
For the Insecure/exploitable Login System, accepts input as follows:
String(//users[LoginID/text()=' " + txtLoginID.Text + " ' and passwd/text()=' "+ txtPasswd.Text +" '])
Now, we type into the LoginID:
abc' or 1=1 or 'a'='b
Thus, also suppressing the need to type in a password, and turns our loginID into a valid one from the database/document in XML. Like:
String(//users[LoginID/text()='abc' or 1=1 or 'a'='b' and passwd/text()=''])
We get a payload/desired input query passed as:
LoginID='abc' or 1=1 or 'a'='b' and passwd/text()=' '
(which can also be represented, logically, as A OR B OR C AND D)
2ND EXAMPLE:
More complex Procedure...
Insecure/Exploitable Code in XML:
Insecure/Exploitable Code in XML:
for the username query, we place this injection:
' or 1=1 or ''='
As a payload, we get this code parsed and executed by the server:
Tada! Now, We get an output result of:
In other words, we have an instance of
What this does is log us in as the first user in the XML document.
CONCLUSION -
Hope you got something from this article. I will try to write an article on XML/XPath programming in the Future (if time allows).
But for now, learn at your own pace, and explore the depths of this notorious, yet esoteric attack. I also urge you to try a combination or blind injections, when you have time on your hands. For beginners, I hope this sparks your interest and hunger for more knowledge;, which m by the ware, are my favorite here.
Truly doing something fishy,
- NETFISH.
WORKS CITED: