» » What is xPath Injection? How to exploit with xPath?

What is xPath Injection? How to exploit with xPath?

What is xPath Injection? How to exploit with xPath?




xPath Injection occurs when inputs supplied by the users are not properly sanitized and a malicious attacker is able to send and construct a malformed xPath query for XML data with the intention to extract sensitive information to which normal users don't have access to. It is similar to SQL Injection where attackers does the same, in SQL Injection, SQL queries are made and in xPath Injection, xPath queries are made for XML data/. Queries XML is done through xPath which is type of a simple descriptive statements that allows XML query to locate certain information.

To understand more clearly how a XML document looks like, have a look below. It is a simple XML document codes to authenticate a user based upon the combination of username and password they entered.


<users>
<user>
<name>Administrator</name>
<username>hackingsec</username>
<password>password123!</password>
<admin>1</admin>
</user>
<user>
<name>Admin</name>
<username>admin</username>
<password>reddit12</password>
<admin>0</admin>
</user>
</users>
















When the username 'admin' and password 'reddit12' are entered, the following xPath query is executed

/*[0]/user[username=”admin” and
password=”reddit12”]

Which would return the following

<user>
<name>Admin</name>
<username>admin</username>
<password>reddit12</password>
<admin>0</admin>

</user>


Exploiting xPath Injection : Authentication Bypass

An malicious user can bypass the authentication by sending specially crafted input query.

/*[0]/user[username=”admin” and password=”reddit12”]

If an attacker submits the following malicious input:

username: admin" or "1" ="1
password: anything

the XPATH query which will be executed will be the following:

/*[0]/user[username=”admin" or "1"="1” and
password=”anything”]

The XPath query will result in authentication bypass and an attacker will be able to login to the
application as user "admin". This is because the OR clause in the XPath query is a condition which is always true. Under XPath (similar to SQL) the AND clause has precedence over the OR clause, so the XPath query will be evaluated as shown by the following pseudo-code:

username ="admin" or [TRUE AND False]
which will result in:
username ="admin" or FALSE

As the username admin is valid, the attacker will be able to login as this user.