What is xPath Injection? How to exploit with xPath? [Part 1]

xPath Injection occurs when inputs supplied by the users are not properly sanitized and a malicious attacker is able to send and construct a malformed xPath query for XML data with the intention to extract sensitive information to which normal users don't have access to. It is similar to SQL Injection where attackers does the same, in SQL Injection, SQL queries are made and in xPath Injection, xPath queries are made for XML data/. Queries XML is done through xPath which is type of a simple descriptive statements that allows XML query to locate certain information.

To understand more clearly how a XML document looks like, have a look below. It is a simple XML document codes to authenticate a user based upon the combination of username and password they entered.




Administrator
hackingsec
password123!
1


Admin
admin
reddit12
0


















When the username 'admin' and password 'reddit12' are entered, the following xPath query is executed

/*[0]/user[username=”admin” and
password=”reddit12”]

Which would return the following


Admin
admin
reddit12
0




Exploiting xPath Injection : Authentication Bypass

An malicious user can bypass the authentication by sending specially crafted input query.

/*[0]/user[username=”admin” and password=”reddit12”]

If an attacker submits the following malicious input:

username: admin" or "1" ="1
password: anything

the XPATH query which will be executed will be the following:

/*[0]/user[username=”admin" or "1"="1” and
password=”anything”]

The XPath query will result in authentication bypass and an attacker will be able to login to the
application as user "admin". This is because the OR clause in the XPath query is a condition which is always true. Under XPath (similar to SQL) the AND clause has precedence over the OR clause, so the XPath query will be evaluated as shown by the following pseudo-code:

username ="admin" or [TRUE AND False]
which will result in:
username ="admin" or FALSE

As the username admin is valid, the attacker will be able to login as this user.


That was a basic introduction to tell you, what xPath actually is and to exploit it. I will be dividing this post into 3 separate parts. This was the 1st part, in 2nd part I will be explaining how to extract database information through xPath Injection. In 3rd part we will be talking about some automated tools for exploiting xPath Injection.