|XPath Injection Tutorial by HackingLoops|
In XPath injection, we try to inject data into an application so that it executes user-controlled XPath queries. When successfully injected, this vulnerability may allow an hackers to bypass complete authentication systems or access information without proper authorization.
Lets learn with the help of examples that how XPath works, in below example we have a sample XML Database File:
<?xml version=”1.0″ encoding=”ISO-8859-1″?>
In the above code shows the basic format how XML file that is used to store sensitive information.
Now if we want to retrieve the information about Administrator from the above XML file, we have to write a XPath query like below:
string(//hackingloops_user[username/text()=’Hackingloops’ and password/text()=’testing123′]/account/text())
The above XPath query is what the webmaster has embedded into his code in order to access the XML database document.
Now if the web designer has not property filtered the user input, then the hacker will be able to inject XPath code into the website and hence interfere with the query result. Here is the example of XPath query that hacker will use to hack the XML file database:
string(//hackingloops_user[username/text()=” or ‘1’ = ‘1’ and password/text()=” or ‘1’ = ‘1’]/account/text())
Have you noticed, what i have injected in place of username and password.
Note: By below technique web masters use XML and XPath in their website. This is how it will actually look:
$login = simplexml_load_file(“HackingLoops_database.xml”);
$result=$login->xpath(“//hackingloops_user[username/test()='”.$_POST[‘Hackingloops’].” AND password/text()='”.$_POST[‘testing123′].”‘”;
Isn’t that looks similar to SQL injection.
Yes, it is, because the basic concept behind XPath and SQL injection are same as both are possible only when web designer has not properly handled the user input in his code(means use of dynamic queries is not correctly handled). In my previous article about website hacking i have shared 10 step guide to stop SQL injection in websites. (Read more here)
Now XPath injection is also of two types, the above technique what i had explained just now is called Blind XPath injection and other one is called Advanced XPath Injection(i will explain that in later tutorials). Below is the Sample Blind XPath injection username password:
Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1
Now let me explain you what the above username signifies as most of you might not know this. The above username or password will result into a query whose output is always true which which means that the website will authenticate the user even if a username or a password have not been provided. Isn’t that interesting… yup it is.. It’s just the silly mistakes by web designers, now if they know about this exploit then it can be easily protected.
That’s all for today my friends…
I hope you all have liked the tutorial… If you have any queries or doubts related to XPath, you can ask in form of comments. I will help you to understand the topic.