XML INJECTION
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWWu2zIlPHq33HQKebWKmaeAKsxX__XM3soVwrXPxqC6jM7E4STI-eqCoVVTI0yRLOemeuuZ2FSFRtRnclNRHSUnxwJL9Z3HDbPcmkhofOnb4b4xICPFeF3nwDDLjkhZCAfrtX0_qu6KLq/s1600/screenshot.1.jpg)
1 - Introduction
- An XML (Extensible Markup Language) database is a data persistence software system that allows data to be specified, stored and retrieved in XML format.
https://en.wikipedia.org/wiki/XML_database
- This data can be queried, transformed, exported and returned to a calling system.
- XML databases are a flavor of document-oriented databases which are in turn a category of NoSQL database.
- When the data in a website is stored in a XML database, then this data is accessed by using a method known as XPath query generation.
- In this method, an XPath query is generated after the user provides the input to the system and the required data is accessed.
- The problem arises when the input provided by the user is not properly filtered or validated by the system.
- The prevention of XML injection can be done by properly managing and sanitizing any user input before it is allowed to reach the main program code.
https://blog.udemy.com/xml-injection/
- The best method is to consider all the user input as unsafe and to properly monitor this input.
- Most types of the XML injection attacks can be prevented by simply removing all the single and double quotes from the user input.
2 - XML injection scenario
- In this exercise the OWASP WebGoat v5.4 version is used, loaded at the Windows 10 machine:
- Going to AJAX Security -> XML Injection:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisWiY7wzgqiguQ5_7bqu4OLBNQyvQbeCOrWl5AWCGgsN2d9fda1n1x7heoThGtDyjGu3Ufau6QGKdrACBPqOxd1uwHIqw44jQlZMbi5zth5Jo4TxXdP_mUKwdtMrLI2eTYlzRkoW1iloLb/s1600/screenshot.50.jpg)
- The scenario of this exercise consists of a web application that offers rewards based on the number of points accumulated by the user.
- In particular, the user whose account has the ID 836239 holds a balance of 100 points, enough to get the first three products from the following list (note that the last two products require a number of points much higher than the 100 available):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijQrn0S9TVLxdZpC2nZEHd3bS-lSAOKno47tb2jKQ-xh-Eyn8P8y5-ZUxeZdSZsUX81ECSTNADd4k6KPEDKsP7K03i0wutzg3wNSLcvGrWRUiRoXC_0u-fAB-vzatkbCNb5ZX-rg-7sYw6/s640/screenshot.48.jpg)
- By entering the user ID, the three products will be sent to the user's address:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4FxPwOEFLJtiDijEVUv9AL-9DA919ZMMys9T6XPTGdcWVK9z4veZIniGdggzhAOzX4GsSJ5cg4PMrJpR3p2bjCiGnlWUSq26fyrG4-zrIBXFwgQn3fnZoJRakupzdLtfkIobvAr4ay-y0/s1600/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxC0E3Wq7KXxDMB2pO7X-8aFxqChDpkAVxv44n8VQ_ta57Hjp1NrikHwxz2mbBrz_xGWJhEfx2DJk8hnmqXAr563vg1P-Ttng-0mv4AmDVgUB8EDI-VZnMl66E8bP7Cw-aQRNoGdiap1zX/s1600/screenshot.13.jpg)
- The XML file that stores such information about the user is the following:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirTrjB1JZZLeRy2evnp1sp_DnNIabNQkXFWmnah7XHevxZAlJ7SvY2MAgCM06x6khdMYm62NuWRxK9u9_LatvXQrxURLNxDE7PKnRrUumcatFBAZ9iX8xxWTpL92-eHgAABj69Ec8izLDn/s320/screenshot.51.jpg)
- Regarding the rewards:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi99ZgvLJ5AfBTJ9_70hUW2N3IE6wV2PSKgEdIoXbmL9YJH6Z65WxY0gbf2IX_sX4iMIA75JjQfa9z-mYo_OyJe6Ozgft6nHzCvYzFAUKwB6YwquTZXs56aPR3GwoZCnZixdp6XaWOT6uiQ/s1600/screenshot.56.jpg)
- The first XPATH query to fetch the user corresponding to the entered ID would be:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyhEbVYZQ9YZ4j8Ux7XepB3FpVlLx8EfIfyM6DU7ZsNCJf0D88Q1lbDUqLleyHo6DWLnCbltsaqLmNX1j-GFizqexBf3bKfKLQ6bpyZUJpVR3Cc_EwR2NMiotPeNURMbF-z5dGEDv-xRxZ/s1600/screenshot.53.jpg)
- The second XPATH query to detect the records of gifts with less than 100 points would be:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcmCTdMD_8YcB7CREA4KkLMkYGYVmn2Il94DZmxDYsW06aEZbubOPjnoxZLGGwl41r3fW4iJCPPsj69DDfbM6yBDgSechHcsnQswITfcll6ZQNIayyP3TfE5LOTEu-7M-lP8hHaF2AgU1s/s400/screenshot.54.jpg)
3 - Launching the XML injection
- Using the browser Firefox, enabling the Proxy server at Kali Linux:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL1QH8X78gefLwgV3RFiOUI9AkuoCUuDYOS1pqjSgh0TAgv1Xrin-HqsvKB5jGC5zFf8fTS_EzB5SodgAF5clfcMDyZUQKM3rvOoYoSI-eBoD4mI3JKOG9ovnwBYakNfw4EbazdAq8x2M5/s640/screenshot.27.jpg)
- Enabling Burp interception at Kali Linux, for requests and responses between the attacker and the victim:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7bEkccSDIJjawikdtXlkNOdrxKnp1EQe6ZSabYe81tHhvqu4HR-llkICVd85LqaFn2i_F9iG7U9kWxfFH9_LxwX6i32h2uubHzTMmMpeGSbX7QRtJcEXhx4qde6GUX3jJ1EQ2-giqu6HI/s1600/screenshot.14.jpg)
- The user tries to use his points:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFpy89IoHgx91FGEof5axJGUCqWkXydwCmos4rLrLI-2u_kIksNrbEz5i9GfRdlyj5RoHtFs-lAgHmgdH7NePuM2bDAOfkw2M8gT7Ftbt7nnxp2QBm7Nutvgj7yuGQQZLhYmy560Z8yunI/s1600/screenshot.15.jpg)
- Forwarding with Burp:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1zEtSYLWZEjTUM9pnoD1LFIhBRrTQpuFGm-X9st5owUByrxrtvh2fuDpoSgCmnMZMpah7NGfoLg_ir1biWku2ngqknleLUQTD7hf0mO-51j1T1vcTPhqiaiCc9Vof_tlL38PL_y6J79yT/s400/screenshot.17.jpg)
- Intercepting the answer:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqPeHjynXtJn1eTnhvaq_ABXKXc58z_sAMwB3z7_JyjH4mlENSurgj1b6ixWM24RjdONAdG4wFesNB3zOsXuJo6nKpMRrQhLuFCVbZpILDCUCpBiiKbtS_cZrHSutreROi5NRjZCrRavqu/s1600/screenshot.19.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0g-qggRR6wUE7gSFvxPTXqUlbiQQOftj7UmQHDfrOMBu75_3mjvKnxKlGomxf7meBwdjDtl878IBcEbGLtMPEdIh4y5DiBeAzDTQxrBb5HHX-fRu3l4l9gfAybNAKEsWWPpQoupwH5aK/s640/screenshot.20.jpg)
- Now, the response is altered injecting these two extra lines, or two extra XML nodes, including the max rewards of 2000 and 3000 points, respectively:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfOt-naAjAn55-xZ12cuamUSVZ3ovcqMzIa3Rr3HQzjFy__hdNa_vkbl3gaMBKYJ7fZGqOsfgohgjA-R5UUIvsG7MP6HoSPFjUf8fGvhgE0-r04xmReW7OEp9THgV02r3aiTrSwqRp4zXR/s1600/screenshot.21.jpg)
- Forwarding with Burp:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJPGbqz0Q_OUhjcotETe67pEBSAANqAPQj8MGP4lL_alQwd9VxnOXwW1r8mgKmb77r1ePOfYk5VKMCFR6QII9-_OzT5taGuw78O1fA0Ig6klWETwH340ij9u372xkh5LgrAEZyaVJYkQHe/s400/screenshot.22.jpg)
- The user receives the option to adquire all the items, though he has not got enough points for it:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvWw4nFSKeL3IMMitv94h-wMG6Qhbsk4FPJdCNVtcpgmhKL0q8xZVHalWPUu9ZqVE9L6eGXLKALhevKDi6nS3QL7cZxZm8hONWLNEpowZ-HYQXCnbr74bv9ghnK9AgYuJPKppViAtPOR4R/s1600/screenshot.28.jpg)
- Checking the rewards and Submitting a new request:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwlKJcji5Dg-1FcLsGsTP0DA32EglwxLtxJIQLaz9ki9UL3M_6E43ejN3LPRk7e7RHflsF4uCEVaeFE61w0ehOspoIe72q1SshwlNHSkcqP0kzfe-Tj5_uDjm1UTijtmhUOFUk8FH5Q2OW/s400/screenshot.29.jpg)
- The XML injection is successful (the five items are shipped to the user's address) because the server has not properly validated the request:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8bxAyptpwA9bALs95YkDopaamdYSa8cHiFRI2cSAv_4HxLRroKximFqVZ3odBZ0kI7vL_y1H4uwB22lu7gXResUFEEKWU_hB3NNX6813kM45YbQWMD95lK1pL4RfV7N7H8eh4_2w5yEZh/s1600/screenshot.30.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsYeC0FP5P19ujfkN70zd0GmX4t5q4FGahqJxrsPd2BwVAIfJBfMR9OGBwLgWzAZR_K4S7nySp0JTy9el905P5O_-B608_kv7pFUdKyUXA2moHvZRnkpTK9oqqK-liPaJdgCl1nvrvXj2x/s1600/screenshot.39.jpg)