Blind XPath Injection

This is an Attack. To view all attacks, please see the Attack Category page.

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

Description

About XPath

XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [1]

Simple XPath Injection

Before you can understand what Blind XPath Injection is, you must first have a basic understanding of Simple XPath Injection. So, lets suppose an application includes the following ASP.NET and C# source code:

 ...
 XmlDocument XmlDoc = new XmlDocument();
 XmlDoc.Load("...");
 ...
 XPathNavigator nav = XmlDoc.CreateNavigator();
 XPathExpression expr = nav.Compile("string(//user[name/text()='"+UserID.Text+
    "' and password/text()='"+Password.Text+
    "']/account/text())");
 String account=Convert.ToString(nav.Evaluate(expr));
 if (account=="")
 {
 // Login failed - UserUD and password pair could not be found in the XML document 
 ...
 }
 else
 {
 // Login succeeded - UserID and Password validated
 ...
 }

Based on the way this sample code is written, an attacker could try to inject an XPath expression into the UserID text field. For example, the attacker could enter the following text into the UserID text field (just like with SQL injection):

' or 1=1 or ='

If this entry is not handled properly by the application, then the application will return the first account number in the XML document. If that occurs, the attacker will be logged in as the first user listed in the XML document.