XPath Injection attack involves manipulating XPath queries in certain ways in order to extract information from an XML database. It is a relatively new technique, which as one will be able to see further into the article, is similar to some degree to SQL injection attacks.
XPath, short for XML Path Language, enables one to select information within an XML document by referring to any sort of data (text, elements, attributes...) contained within the document.
XPath can be used directly in an application, for example Microsoft .NET or ColdFusion, and they do support it by default.
The way of selecting a part of the given XML document by XPath involves presenting that part in the form of a node tree generated by the parser.
There are a number of different kinds of nodes in the tree, for instance:
• processing instructions
One of the primary foundations of XPath are expressions, in other words, instructions of the language.
The expressions denote operations. One of the most important of them is location path. An example of such an expression could be:
which refers to all elements of the type name which are children to any elements of the type person, which in turn are children of the root element. XPath expressions return lists of element references; those lists can be empty or contain one or more node.
Another mechanism used by XPath are the predicates, which allow one to select some particular node or nodes with specific characteristics:
The above would select all children elements of person of the type
secret_id_number whose attribute private equals if. One should also distinguish conditional operators:
• the operator and is used by enclosing different logical predicates in brackets
• the operator or is represented by the pipe character
• the negation uses the reserved keyword not
Here's how the XML work:
<?xml version="1.0"?> <person> <name>Bob</name> <surname>Alice</surname> <secret_id_number private="if"> 12345678w</secret_id_number> <company>Microsoft Co.</company> </person>
Let's say that a developer stores authentication data in an XML file with the following structure:
<user> <name>UserName</UserName> <password>Password</password> </user>
On authentication, the developer builds an Xpath expression this way:
string//user[name/text()='"txtUserName.Text"' and password/text()='" txtPassword.Text"'])
The txtUserName and txtPassword variables are standard ASPX textboxes. When the attacker inserts an expression with an apostrophe (') to one of the textboxes, the attacker terminates the string and is able to write his own XPath expression. The scenario is basically the same as with SQL injection.
So What can XPath injection attack really do?
An attacker can get, modify or delete anything stored in the given XML file, not cool!
The first technique is based on trying. Try to insert strings like:
- 'whatever – basic test
to all inputs/URL parameters/whatever. If you see any error related to classes which provide manipulation with XMLs in ASP. NET, you have probably found an XPath injection threat.
The second way is to search for vulnerabilities in code. You can search for the following strings:
- Xpath - many classes which work with XPath have the 'xpath' string in their name.
- SelectSingleNode() and SelectNodes() - methods used in Kentico for getting data from XML files via XPath.
You can avoid XPath injection by following these rules:
- Validate input from external sources before you put it into XPath expressions.
- For characters like ', <, >, etc., use replace entities. "'" is a replace entity for an apostrophe.
For further information, kindly use google, or reach out to me :)