- Layout for this exercise:
1 - Introduction
- An XML (Extensible Markup Language) database is a data persistence software system that allows data to be specified, stored and retrieved in XML format.
- This data can be queried, transformed, exported and returned to a calling system.
- XML databases are a flavor of document-oriented databases which are in turn a category of NoSQL database.
- When the data in a website is stored in a XML database, then this data is accessed by using a method known as XPath query generation.
- In this method, an XPath query is generated after the user provides the input to the system and the required data is accessed.
- The problem arises when the input provided by the user is not properly filtered or validated by the system.
- The prevention of XML injection can be done by properly managing and sanitizing any user input before it is allowed to reach the main program code.
- The best method is to consider all the user input as unsafe and to properly monitor this input.
- Most types of the XML injection attacks can be prevented by simply removing all the single and double quotes from the user input.
2 - XML injection scenario
- In this exercise the OWASP WebGoat v5.4 version is used, loaded at the Windows 10 machine:
- Going to AJAX Security -> XML Injection:
- The scenario of this exercise consists of a web application that offers rewards based on the number of points accumulated by the user.
- In particular, the user whose account has the ID 836239 holds a balance of 100 points, enough to get the first three products from the following list (note that the last two products require a number of points much higher than the 100 available):
- By entering the user ID, the three products will be sent to the user's address:
- The XML file that stores such information about the user is the following:
- Regarding the rewards:
- The first XPATH query to fetch the user corresponding to the entered ID would be:
- The second XPATH query to detect the records of gifts with less than 100 points would be:
3 - Launching the XML injection
- Using the browser Firefox, enabling the Proxy server at Kali Linux:
- Enabling Burp interception at Kali Linux, for requests and responses between the attacker and the victim:
- The user tries to use his points:
- Forwarding with Burp:
- Intercepting the answer:
- Now, the response is altered injecting these two extra lines, or two extra XML nodes, including the max rewards of 2000 and 3000 points, respectively:
- Forwarding with Burp:
- The user receives the option to adquire all the items, though he has not got enough points for it:
- Checking the rewards and Submitting a new request:
- The XML injection is successful (the five items are shipped to the user's address) because the server has not properly validated the request: