XPATH Injection

• Similar to SQL injection, XPATH injection attack occurs when a web site uses user supplied information to query XML data

• By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to

• They may even be able to elevate their privileges on the website if the xml data is being used for authentication

• • Such as an XML based user file

• Querying XML is done with XPATH

• • A type of simple descriptive statement that allows the XML query to locate a piece of information

  • Like SQL you can specify certain attributes to find and patterns to match

• When using XML for a website it is common to accept some form of input on the query string to identify the content to locate and display on the page

• • This input must be sanitized to verify that it doesn't mess up the query and return the wrong data

Solution

• From the source code you can see how the XPATH query is built:

• Injecting Smith' or 1=1 or 'a'='a' will log you on as the first user defined in the system

• • Password is a required field, so there you can enter whatever you want