If not redirected, please click here https://www.thesecuritybuddy.com/vulnerabilities/what-is-xpath-injection-attack/
A web application becomes vulnerable to
attack when it does not sanitize user-supplied data properly and use
it unsafely to access other data from the server. XPath Injection
Attack is one such attack. Many web applications become vulnerable to
XPath Injection when they use user-supplied data unsafely to
construct a XPath query for XML data.
Let's understand in detail what
actually it is.
What is XPath
Many web applications use XML or
EXtensible Markup Language to store and
transport data in both human readable and machine readable format. It
is often used to separate data from presentation.
To give an example, a web server may
store data in separate XML files and write a small JavaScript code to
read the XML files and update the contents of HTML pages.
XSLT or EXtensible
Stylesheet Language Transformations is a
recommended stylesheet language for XML, which is used to transform
an XML document into HTML.
XPath is a major element in
XSLT. It is used in XSLT to navigate through an XML document to find
out required information.
To give an example, let's consider this
XML document :
<?xml
version="1.0"
encoding="UTF-8"?>
<bookstore>
<book category="PROGRAMMING">
<title lang="en">Learn Programming</title>
<author>Adam Smith</author>
<year>2050</year>
<price>50.00</price>
</book>
<bookstore>
<book category="PROGRAMMING">
<title lang="en">Learn Programming</title>
<author>Adam Smith</author>
<year>2050</year>
<price>50.00</price>
</book>
</bookstore>
In
a modern browser, you can load the XML document using :
var
xmlhttprequest=new
XMLHttpRequest()
And,
the following XPath query will select the title of the book from the
XML document :
xpath="/bookstore/book/title";
xmlDoc.evaluate(xpath,
xmlDoc, null,
XPathResult.ANY_TYPE, null);
What
is XPath Injection Attack
Let's
understand this with an example.
Suppose,
we have an authentication system on a webpage which takes inputs of
username and password from the user and uses XPath to look up the
following XML document to find out the proper user.
<?xml
version="1.0"
encoding="utf-8"?>
<Users>
<User
ID=”1”>
<FirstName>John</FirstName>
<LastName>Baker</LastName>
<UserName>JBaker</UserName>
<Password>SecretForJohn</Password>
<Type>Admin</Type>
<Type>Admin</Type>
</User>
<User
ID=”2”>
<FirstName>Arnold</FirstName>
<LastName>Cook</LastName>
<UserName>ACook</UserName>
<Password>SecretForArnold</Password>
<Type>User</Type>
<Type>User</Type>
</User>
</Users>
Let's
consider it uses the following XPath to look for the user :
FindUserXPath =
"//User[UserName/text()='" & Request("Username")
& "' and Password/text()='"
& Request("Password") & "']"
So,
an attacker can send a malicious username and password in the web
application to select XML nodes without knowing any actual username
and password.
Username: blah' or
1=1 or 'a'='a
Password: blah
So, logically FindUserXPath becomes equivalent to :
//User[(UserName/text()='blah'
or 1=1) or
('a'='a' and
Password/text()='blah')]
As
the first part of the XPath is always true, the password part becomes
irrelevant and the UserName part matches the admin. And thus, it can now reveal sensitive information from the server to the attacker, which the attacker can exploit for malicious purposes. And, the web
application becomes vulnerable to XPath Injection Attack.
Mitigation
- Use a parameterized XPath interface whenever possible.
- Construct the XPath query dynamically and escape the user inputs properly.
- In a dynamically constructed XPath query, if you are using quotes to terminate untrusted input, then make sure to escape that quote in the untrusted input, so that the untrusted input cannot try to break out of the quoted part. For example, if single quote (') is used to terminate the input username, then replace any single quote (') character in the XPath query with XML encoded version of that character, for example “'”
- Using precompiled XPath query is always good. With this, the user inputs get escaped properly without missing any character that should have been escaped.
No comments:
Post a Comment