DEV Community

Cover image for Web Services Security: XPath Injection
Muhammad Ahmad
Muhammad Ahmad

Posted on

Web Services Security: XPath Injection

XPath Injection attack involves manipulating XPath queries in certain ways in order to extract information from an XML database. It is a relatively new technique, which as one will be able to see further into the article, is similar to some degree to SQL injection attacks.

The XPath Language

XPath, short for XML Path Language, enables one to select information within an XML document by referring to any sort of data (text, elements, attributes...) contained within the document.

XPath can be used directly in an application, for example Microsoft .NET or ColdFusion, and they do support it by default.
The way of selecting a part of the given XML document by XPath involves presenting that part in the form of a node tree generated by the parser.
There are a number of different kinds of nodes in the tree, for instance:
• source
• element
• attribute
• text
• comments
• processing instructions

One of the primary foundations of XPath are expressions, in other words, instructions of the language.
The expressions denote operations. One of the most important of them is location path. An example of such an expression could be:

/person/name
Enter fullscreen mode Exit fullscreen mode

which refers to all elements of the type name which are children to any elements of the type person, which in turn are children of the root element. XPath expressions return lists of element references; those lists can be empty or contain one or more node.
Another mechanism used by XPath are the predicates, which allow one to select some particular node or nodes with specific characteristics:

/person/secret_id_number[@private=”if”]
Enter fullscreen mode Exit fullscreen mode

The above would select all children elements of person of the type secret_id_number whose attribute private equals if. One should also distinguish conditional operators:
• the operator and is used by enclosing different logical predicates in brackets
• the operator or is represented by the pipe character
• the negation uses the reserved keyword not

Here's how the XML work:

<?xml version="1.0"?>
  <person>
    <name>Bob</name>
    <surname>Alice</surname>
    <secret_id_number private="if">
     12345678w</secret_id_number>
    <company>Microsoft Co.</company>
  </person>
Enter fullscreen mode Exit fullscreen mode

Example of XPath injection

Let's say that a developer stores authentication data in an XML file with the following structure:

<user>
 <name>UserName</UserName>
 <password>Password</password>
</user>
Enter fullscreen mode Exit fullscreen mode

On authentication, the developer builds an Xpath expression this way:

string//user[name/text()='"txtUserName.Text"' and password/text()='" txtPassword.Text"'])
Enter fullscreen mode Exit fullscreen mode

The txtUserName and txtPassword variables are standard ASPX textboxes. When the attacker inserts an expression with an apostrophe (') to one of the textboxes, the attacker terminates the string and is able to write his own XPath expression. The scenario is basically the same as with SQL injection.

So What can XPath injection attack really do?
An attacker can get, modify or delete anything stored in the given XML file, not cool!

Finding XPath injection vulnerabilities

The first technique is based on trying. Try to insert strings like:

  • 'whatever – basic test
  • DROP
  • Something

to all inputs/URL parameters/whatever. If you see any error related to classes which provide manipulation with XMLs in ASP. NET, you have probably found an XPath injection threat.
The second way is to search for vulnerabilities in code. You can search for the following strings:

  • Xpath - many classes which work with XPath have the 'xpath' string in their name.
  • SelectSingleNode() and SelectNodes() - methods used in Kentico for getting data from XML files via XPath.

You can avoid XPath injection by following these rules:

  • Validate input from external sources before you put it into XPath expressions.
  • For characters like ', <, >, etc., use replace entities. "'" is a replace entity for an apostrophe.

For further information, kindly use google, or reach out to me :)

Discussion (0)