XPATH INJECTION
- Layout for this exercise:
1 - Introduction
- Similar to SQL Injection, XPATH Injection attacks occur when a web site uses user supplied information to query XML data:
https://www.owasp.org/index.php/XPATH_Injection
- By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to.
- An attacker may even be able to elevate their privileges on the web site if the xml data is being used for authentication (such as an xml based user file).
- Querying XML is done with XPath, a type of simple descriptive statement that allows the xml query to locate a piece of information.
- Like SQL you can specify certain attributes to find and patterns to match.
- When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page.
- This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data.
2 - Launching the XPATH injection
- In this exercise the OWASP WebGoat v5.4 version is used, loaded at a Windows 10 machine.
- Going to Injection Flaws -> XPATH Injection:
- The scenario of this exercise describes how to use a web form to allow employees of a company to see some personal data, like their salary.
- For instance, entering as input fields the right credentials for the user Mike/test123:
- The output displays personal data about the user Mike:
- Now, through the XPATH injection the attacker intends to access personal information of all users of the database.
- For this purpose the attacker introduces the following string in the form, both in the user and password fields: 'or'5'='5
- The attack is successful because the output displays personal data of all users of the database:
3 - Explanation of the XPATH injection
- The file users.xml stores personal data of all the users in the database:
- This XPATH query defines how to navigate the nodes of the file users.xml:
$result=$login->xpath("//users[username=='.$_POST['input'].' AND password== '.$_POST['input'].' ]")
- Both username and password entered by the client must be true because the operator AND gives a true output only if both operands are true (1 AND 1 = 1):
$result=$login->xpath("//users[username==' Mike' AND password== ' test123' ]")
- Crafting a malicious input so that both AND operands are always true, the query bypasses the authentication, grabbing the data of all users in the xml file:
$result=$login->xpath("//users[username==''or'1'='1' AND password== ''or'1'='1' ]")
