XPATH Injection

  • Similar to SQL injection, XPATH injection attack occurs when a web site uses user supplied information to query XML data

  • By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to

  • They may even be able to elevate their privileges on the website if the xml data is being used for authentication

    • Such as an XML based user file

  • Querying XML is done with XPATH

    • A type of simple descriptive statement that allows the XML query to locate a piece of information

    • Like SQL you can specify certain attributes to find and patterns to match

  • When using XML for a website it is common to accept some form of input on the query string to identify the content to locate and display on the page

    • This input must be sanitized to verify that it doesn't mess up the query and return the wrong data

Solution

  • From the source code you can see how the XPATH query is built:

  • Injecting Smith' or 1=1 or 'a'='a' will log you on as the first user defined in the system

    • Password is a required field, so there you can enter whatever you want

PreviousLog SpoofingNextSQLi

Last updated