XPath Injection

OWASP 2013-A1 OWASP 2017-A1 CWE-643 WSTG-INPV-09 CAPEC-83 WASC-39

The XPath injection is an injection attack very similar to SQL injection were a web application uses user-supplied data to construct a malicious XPath query for XML. The attacker can execute this injection by sending malicious information into the web application. Through this attack, an attacker can find out how the XML data is structured and can also access sensitive data from the application. He can also change his privileges on the vulnerable web application if there are any XML data being passed to the application for authentication. There are many web applications where the attacker can inject XPath syntax into a request interpreted by the application, allowing him to execute user-controlled XPath queries. The aftermath of executing this query, allows an attacker to bypass authentication mechanisms and can access information without proper authorisation. XPath is one of the standard languages whose notations are independently implemented.

Example

Consider the following XML code.

      <?xml version="1.0" encoding="utf-8"?>
      <Student>
         <Student ID="1">
            <FirstName>Sashwat</FirstName>
            <LastName>K</LastName>
            <UserName>SK</UserName>
            <Password>password1</Password>
            <Type>Admin</Type>
         </Student>
         <Student ID="2">
            <FirstName>Irfan</FirstName>
            <LastName>Hameed</LastName>
            <UserName>IrfanH</UserName>
            <Password>password2</Password>
            <Type>User</Type>
         </Student>
      </Student>

   

If the above XML code is used for authentication of the users, the application uses XPath to find the user. If an attacker sends a random username and password, the XML will return the following:-

      Username: blimp' or 1=1 or 'a'='a
      Password: blimp
      
      FindUserXPath becomes //Employee[UserName/text()='blimp' or 1=1 or
            'a'='a' And Password/text()='blimp']
      
      Logically this is equivalent to:
            //Employee[(UserName/text()='blimp' or 1=1) or
            ('a'='a' And Password/text()='blimp')]
   

This response from XML proves to the attacker that, the username must only be matched to get into the application. The attacker can manipulate the response to get into the system.

Impact

This vulnerability can have the following impacts:-

  • Reading, updating and deleting arbitrary data/tables from the database
  • Executing commands on the underlying operating system

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Treat all user input as untrusted. Perform appropriate sanitization to the input data.
  • When sanitizing user input, verify the correctness of the data type, length, format, and content.
  • In a client-server application, perform validation at both the client and the server sides.
  • Extensively test applications that supply, propagate, or accept user input.

Latest Articles