This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Blind XPath Injection"

From OWASP
Jump to: navigation, search
(Blind XPath Injection)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
  
{{Template:Stub}}
+
==Description==
 +
 
 +
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions,
 +
etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath
 +
can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries.
 +
 
 +
 
 +
More information may be found in the article dedicated to [[XPATH Injection]]. Conducting Blind XPath Injection attack the attacker has no knowledge about the structure of the XML document. However his situation is better comparing to [[Blind_SQL_Injection]], because there are functions, which allows for performing tests (XML Crawling) and in the end getting know the document structure.
 +
 
 +
==Examples ==
 +
 
 +
Using [[XPATH_Injection]] attack the attacker is able to e.g. log in to the system without entering valid login and password. If he wants to know information about other users he must take one step further. The attacker may be successfull using two methods: Boolenization and XML Crawling. By adding to the XPath syntax, which allows to log in without entering a login and password, additional expressions (replacing what the attacker entered in the place of login to the specially crafted expression).
 +
 
 +
'''Boolenization'''
 +
 
 +
Using so called "Boolenization" method the attacker may find out if the given XPath expression is True or False. Let's assume that the
 +
aim of the attacker is to log in to the account. Successfull log in would be equal "True" and failed log in attempt would equals "False". Only a smart portion of the information is analyzed "character" or the number. When the attacker focuses on the string he may reveal it in its entirety by checking every single character within the class/range of characters this string belongs to.
 +
 
  
==Description==
+
Using ''string-length(S)'' function, where S is a string, the attacker may find out the length of this string. With the appropriate number of ''substring(S,N,1)'' function iterations, where S is a previously mentioned string, N is a start character, and "1" is a next character counting from N character, the attacker is able to find out the whole string.
 +
 
 +
 
 +
Example:
 +
<pre>
 +
<?xml version="1.0" encoding="UTF-8"?>
 +
<data>
 +
  <user>
 +
  <login>admin</login>
 +
  <password>test</password>
 +
  <realname>SuperUser</realname>
 +
  </user>
 +
  <user>
 +
  <login>rezos</login>
 +
  <password>rezos123</password>
 +
  <realname>Simple User</realname>
 +
  </user>
 +
</data>
 +
</pre>
 +
Function:
 +
 
 +
* ''string.stringlength(//user[position()=1]/child::node()[position()=2])'' returns the length of the second string of the first user (8),
 +
* ''substring((//user[position()=1]/child::node()[position()=2),1,1)'' returns the first character of this user ('r').
 +
 
 +
 
 +
'''XML Crawling'''
 +
 
 +
To get to know the XML document structure the attacker may use:
 +
 
 +
* count(expression)
 +
<pre>
 +
count(//user/child::node()
 +
</pre>
 +
Will return the number of nodes (in this case 2).
 +
 
 +
* stringlength(string)
 +
<pre>
 +
string-length(//user[position()=1]/child::node()[position()=2])=6
 +
</pre>
 +
Using this query the attacker will find out if the second string (password) of the first node (user 'admin') consists of 6 characters.
 +
 
 +
* substring(string, number, number)
 +
<pre>
 +
substring((//user[position()=1]/child::node()[position()=2]),1,1)="a"
 +
</pre>
 +
This query will confirm (True) or deny (False) that the first character of the user ('admin') password is an "a" character.
  
===About XPath===
 
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [http://www.w3.org/TR/xpath]
 
  
===Simple XPath Injection===
+
If the log in form would look like that:
Before you can understand what Blind XPath Injection is, you must first have a basic understanding of Simple XPath Injection. So, lets suppose an application includes the following ASP.NET and C# source code:
 
  ...
 
  XmlDocument XmlDoc = new XmlDocument();
 
  XmlDoc.Load("...");
 
  ...
 
  XPathNavigator nav = XmlDoc.CreateNavigator();
 
  XPathExpression expr = nav.Compile("string(//user[name/text()='"+UserID.Text+
 
    "' and password/text()='"+Password.Text+
 
    "']/account/text())");
 
  String account=Convert.ToString(nav.Evaluate(expr));
 
  if (account=="")
 
  {
 
  // Login failed - UserUD and password pair could not be found in the XML document
 
  ...
 
  }
 
  else
 
  {
 
  // Login succeeded - UserID and Password validated
 
  ...
 
  }
 
  
Based on the way this sample code is written, an attacker could try to inject an XPath expression into the UserID text field. For example, the attacker could enter the following text into the UserID text field (just like with SQL injection):
+
C#:
 +
<pre>
 +
String FindUser;
 +
FindUser = "//user[login/text()='" + Request("Username") + "' And
 +
      password/text()='" + Request("Password") + "']";
 +
</pre>
 +
then the attacker should inject the following code:
 +
<pre>
 +
Username: ' or substring((//user[position()=1]/child::node()[position()=2]),1,1)="a" or ''='
 +
</pre>
  
' or 1=1 or ''='
+
The XPath syntax may remind common [[SQL_Injection]] attacks but the attacker must consider, that this language disallows commenting
 +
out the rest of expresssion. To ommit this limitation the attacker should use OR expressions to void all expressions, which may disrupt the attack.
  
If this entry is not handled properly by the application, then the application will return the first account number in the XML document. If that occurs, the attacker will be logged in as the first user listed in the XML document.
+
Because of ''Boolenization'' the number of queries, even within a small XML document, may be very high (thousands, houndred of thousands and more). That is why this attack is not conducted manually. Knowing few basic XPath functions the attacker is able to write an application in a short time, which will rebuild the structure of the document and will fill it with a data by itself.
  
===Blind XPath Injection===
+
References:
  
==Examples ==
+
* http://www.modsecurity.org/archive/amit/blind-xpath-injection.pdf - by Amit Klein (much more detailes, in my opinion the best source about Blind XPath Injection).
 +
* http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html
  
 
==Related Threats==
 
==Related Threats==
 +
 +
* [[:Category:Command_Execution]]
  
 
==Related Attacks==
 
==Related Attacks==
 +
 +
* [[Blind_SQL_Injection]]
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
 +
 +
* [[Injection_problem]]
  
 
==Related Countermeasures==
 
==Related Countermeasures==
  
[[Category:Attack]]
+
* [[:Category:Input Validation]]
 +
 
 +
More in the article [[XPATH_Injection]]
 +
 
 +
==Categories==
 +
 
 +
[[:Category:Injection]]

Revision as of 20:37, 4 November 2007

This is an Attack. To view all attacks, please see the Attack Category page.


Description

XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries.


More information may be found in the article dedicated to XPATH Injection. Conducting Blind XPath Injection attack the attacker has no knowledge about the structure of the XML document. However his situation is better comparing to Blind_SQL_Injection, because there are functions, which allows for performing tests (XML Crawling) and in the end getting know the document structure.

Examples

Using XPATH_Injection attack the attacker is able to e.g. log in to the system without entering valid login and password. If he wants to know information about other users he must take one step further. The attacker may be successfull using two methods: Boolenization and XML Crawling. By adding to the XPath syntax, which allows to log in without entering a login and password, additional expressions (replacing what the attacker entered in the place of login to the specially crafted expression).

Boolenization

Using so called "Boolenization" method the attacker may find out if the given XPath expression is True or False. Let's assume that the aim of the attacker is to log in to the account. Successfull log in would be equal "True" and failed log in attempt would equals "False". Only a smart portion of the information is analyzed "character" or the number. When the attacker focuses on the string he may reveal it in its entirety by checking every single character within the class/range of characters this string belongs to.


Using string-length(S) function, where S is a string, the attacker may find out the length of this string. With the appropriate number of substring(S,N,1) function iterations, where S is a previously mentioned string, N is a start character, and "1" is a next character counting from N character, the attacker is able to find out the whole string.


Example:

<?xml version="1.0" encoding="UTF-8"?>
<data>
   <user>
   <login>admin</login>
   <password>test</password>
   <realname>SuperUser</realname>
   </user>
   <user>
   <login>rezos</login>
   <password>rezos123</password>
   <realname>Simple User</realname>
   </user>
</data>

Function:

  • string.stringlength(//user[position()=1]/child::node()[position()=2]) returns the length of the second string of the first user (8),
  • substring((//user[position()=1]/child::node()[position()=2),1,1) returns the first character of this user ('r').


XML Crawling

To get to know the XML document structure the attacker may use:

  • count(expression)
count(//user/child::node()

Will return the number of nodes (in this case 2).

  • stringlength(string)
string-length(//user[position()=1]/child::node()[position()=2])=6

Using this query the attacker will find out if the second string (password) of the first node (user 'admin') consists of 6 characters.

  • substring(string, number, number)
substring((//user[position()=1]/child::node()[position()=2]),1,1)="a"

This query will confirm (True) or deny (False) that the first character of the user ('admin') password is an "a" character.


If the log in form would look like that:

C#:

String FindUser;
FindUser = "//user[login/text()='" + Request("Username") + "' And
      password/text()='" + Request("Password") + "']";

then the attacker should inject the following code:

Username: ' or substring((//user[position()=1]/child::node()[position()=2]),1,1)="a" or ''='

The XPath syntax may remind common SQL_Injection attacks but the attacker must consider, that this language disallows commenting out the rest of expresssion. To ommit this limitation the attacker should use OR expressions to void all expressions, which may disrupt the attack.

Because of Boolenization the number of queries, even within a small XML document, may be very high (thousands, houndred of thousands and more). That is why this attack is not conducted manually. Knowing few basic XPath functions the attacker is able to write an application in a short time, which will rebuild the structure of the document and will fill it with a data by itself.

References:

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

More in the article XPATH_Injection

Categories

Category:Injection