Monday, April 2, 2018

XPATH Injection


- Layout for this exercise:

1 - Introduction

- Similar to SQL Injection, XPATH Injection attacks occur when a web site uses user supplied information to query XML data:

- By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to.

- An attacker may even be able to elevate their privileges on the web site if the xml data is being used for authentication (such as an xml based user file). 

- Querying XML is done with XPath, a type of simple descriptive statement that allows the xml query to locate a piece of information. 

- Like SQL you can specify certain attributes to find and patterns to match. 

- When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. 

- This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data.

2 - Launching the XPATH injection

- In this exercise the OWASP WebGoat v5.4 version is used, loaded at a Windows 10 machine.

- Going to Injection Flaws -> XPATH Injection:

- The scenario of this exercise describes how to use a web form to allow employees of a company to see some personal data, like their salary.

- For instance, entering as input fields the right credentials for the user Mike/test123:

- The output displays personal data about the user Mike:

- Now, through the XPATH injection the attacker intends to access personal information of all users of the database.

- For this purpose the attacker introduces the following string in the form, both in the user and password fields: 'or'5'='5

- The attack is successful because the output displays personal data of all users of the database:

3 - Explanation of the XPATH injection

- The file users.xml stores personal data of all the users in the database:

- This XPATH query defines how to navigate the nodes of the file users.xml:

$result=$login->xpath("//users[username=='.$_POST['input'].' AND password== '.$_POST['input'].' ]")

- Both username and password entered by the client must be true because the operator AND gives a true output only if both operands are true (1 AND 1 = 1):

$result=$login->xpath("//users[username==' Mike' AND password== ' test123' ]")

- Crafting a malicious input so that both AND operands are always true, the query bypasses the authentication, grabbing the data of all users in the xml file:

$result=$login->xpath("//users[username==''or'1'='1' AND password== ''or'1'='1' ]")