Home / Hacking / XPath Injection Tutorial to Hack Websites Database

XPath Injection Tutorial to Hack Websites Database

Everyday we get news that so and so website is hacked by some Hacker and most of us think that Hacker is very genius but reality is quite different. Most of the hackers which defaces websites are novice hackers and perform these shameful acts just for popularity and show off. Its just the interest which varies from person to person, the web designer just concentrates on designing his website and hackers just focuses on searching of exploits. But did we had ever concentrated on the fact, if web designer starts searching exploits then how destructive he can be, and if he uses it positively then how much constructive that can be. So its your decision which path you will choose.. constructive or destructive . I can just provide you tutorials that will enhance you knowledge base..
Note: This article is for Educational Purposes only. Be a part of constructive society. Fame and Name can also be earned by being on constructive side. I know its difficult but if you are good then you will be surely recognized.
So lets start with very basics… You all must be having basic knowledge of HTML and XML then i will leave those topics as they are very basic things if you deal with web in day to day life. If you don’t know basics i will advice you to go to w3schools and have a quick review of these concepts.

XPath Injection Tutorial to Hack Websites Database
XPath by HackingLoops

What is XPath?
XPath is basically the syntax for defining parts of XML documents which uses path expressions to navigate in the XML document and its does with help of standard predefined functions like string values, numeric values, date and time comparison, sequence and Node manipulation etc..
Nowadays most of webmasters use XML documents to store sensitive data and uses XPath to navigate the data inside the XML documents. The main advantage for using XML documents is that they are so complex that they are almost unreadable for human. But we know where there is complexity, there is way for hackers to play their part. So friends lets start our tutorial on xPath Injection..
What is xPath Injection?
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. It can be used directly by an application to query an XML document, as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document.
In XPath injection, we try to inject data into an application so that it executes user-controlled XPath queries. When successfully injected, this may allow an hackers to bypass complete authentication systems or access information without proper authorization.

Lets learn with the help of examples that how XPath works, in below example we have a sample XML Database File:

<?xml version=”1.0″ encoding=”ISO-8859-1″?>

In the above code shows the basic format how XML file that is used to store sensitive information.
Now if we want to retrieve the information about Administrator from the above XML file, we have to write a XPath query like below:

string(//hackingloops_user[username/text()=’Hackingloops’ and password/text()=’testing123′]/account/text())

The above XPath query is what the webmaster has embedded into his code in order to access the XML database document.

Now if the web designer has not property filtered the user input,  then the hacker will be able to inject XPath code into the website and hence interfere with the query result. Here is the example of XPath query that hacker will use to hack the XML file database:

string(//hackingloops_user[username/text()=” or ‘1’ = ‘1’ and password/text()=” or ‘1’ = ‘1’]/account/text())

Have you noticed, what i have injected in place of username and password.

Note: By below technique web masters use XML and XPath in their website. This is how it will actually look:

$login = simplexml_load_file(“HackingLoops_database.xml”);
$result=$login->xpath(“//hackingloops_user[username/test()='”.$_POST[‘Hackingloops’].” AND password/text()='”.$_POST[‘testing123’].”‘”;

Isn’t that looks similar to SQL injection.
Yes, it is, because the basic concept behind XPath and SQL injection are same as both are possible only when web designer has not properly handled the user input in his code(means use of dynamic queries is not correctly handled). In my previous article about i have shared 10 step guide to stop in websites. (Read more here)

Now XPath injection is also of two types, the above technique what i had explained just now is called Blind XPath injection and other one is called Advanced XPath Injection(i will explain that in later tutorials). Below is the Sample Blind XPath injection username password:

Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1

Now let me explain you what the above username signifies as most of you might not know this. The above username or password will result into a query whose output is always true which which means that the website will authenticate the user even if a username or a password have not been provided. Isn’t that interesting… yup it is.. It’s just the silly mistakes by web designers, now if they know about this exploit then it can be easily protected.

That’s all for today my friends…
I hope you all have liked the tutorial… If you have any queries or doubts related to XPath, you can ask in form of comments. I will help you to understand the topic.

Thanks for reading…:)

About Lokesh Singh

Hello Friends, i am Lokesh Singh, certified Ethical hacker ( CEH, SSA, CSIF , CISSP). Have 8+ years of extensive experience in Ethical Hacking, Cyber Security and Penetration Testing domain.

Leave a Comment