This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Blind XPath Injection"
(→Simple XPath Injection) |
(→Simple XPath Injection) |
||
| Line 10: | Line 10: | ||
===Simple XPath Injection=== | ===Simple XPath Injection=== | ||
Suppose an application includes the following ASP.NET and C# source code: | Suppose an application includes the following ASP.NET and C# source code: | ||
| − | + | ... | |
| − | ... | + | XmlDocument XmlDoc = new XmlDocument(); |
| − | XmlDocument XmlDoc = new XmlDocument(); | + | XmlDoc.Load("..."); |
| − | XmlDoc.Load("..."); | + | ... |
| − | ... | + | XPathNavigator nav = XmlDoc.CreateNavigator(); |
| − | XPathNavigator nav = XmlDoc.CreateNavigator(); | + | XPathExpression expr = nav.Compile("string(//user[name/text()='"+UserID.Text+ |
| − | XPathExpression expr = | + | "' and password/text()='"+Password.Text+ |
| − | nav.Compile("string(//user[name/text()='"+UserID.Text+ | + | "']/account/text())"); |
| − | "' and password/text()='"+Password.Text+ | + | String account=Convert.ToString(nav.Evaluate(expr)); |
| − | "']/account/text())"); | + | if (account=="") |
| − | String account=Convert.ToString(nav.Evaluate(expr)); | + | { |
| − | if (account=="") | + | // Login failed - UserUD and password pair could not be found in the XML document |
| − | { | + | ... |
| − | // Login failed - UserUD and password pair could not be found in the XML document | + | } |
| − | ... | + | else |
| − | } | + | { |
| − | else | + | // Login succeeded - UserID and Password validated |
| − | { | + | ... |
| − | // Login succeeded - UserID and Password validated | + | } |
| − | ... | ||
| − | } | ||
Based on the way this code is written, an attacker could easily inject an XPath expression into the UserID text field and then submit the query. For example, the attacker could enter the following text into the UserID field (just like with SQL injection): | Based on the way this code is written, an attacker could easily inject an XPath expression into the UserID text field and then submit the query. For example, the attacker could enter the following text into the UserID field (just like with SQL injection): | ||
Revision as of 20:21, 8 September 2006
- This is an Attack. To view all attacks, please see the Attack Category page.
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
Description
About XPath
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [1]
Simple XPath Injection
Suppose an application includes the following ASP.NET and C# source code:
...
XmlDocument XmlDoc = new XmlDocument();
XmlDoc.Load("...");
...
XPathNavigator nav = XmlDoc.CreateNavigator();
XPathExpression expr = nav.Compile("string(//user[name/text()='"+UserID.Text+
"' and password/text()='"+Password.Text+
"']/account/text())");
String account=Convert.ToString(nav.Evaluate(expr));
if (account=="")
{
// Login failed - UserUD and password pair could not be found in the XML document
...
}
else
{
// Login succeeded - UserID and Password validated
...
}
Based on the way this code is written, an attacker could easily inject an XPath expression into the UserID text field and then submit the query. For example, the attacker could enter the following text into the UserID field (just like with SQL injection):
' or 1=1 or ='
If not handled properly by the application, this data entry will always returns the first account number in the XML document. Such an attack is called “Xpath Injection”, which is an basically the same as a “SQL injection” attack. This can result in having the attacker logged in (as the first user listed in the XML document), although the attacker did not provide any valid user name or password.
Blind XPath Injection
Using Blind XPath Injection, an attacker can extract a complete XML document for XPath querying without prior knowledge of the query. The attacker can access the entire XML "database" used in the XPath query which can be powerful against sites that use XPath queries (and XML "databases") for authentication, searching and other uses.
