Research on XPath injection attack and its defense technology
Lupeijun
(School of Computer Science and Technology, Nantong University, Nantong 226019, Jiangsu)
Summary XML technology is widely used, and the security of XML data is more and more important. This article briefly introduces the principle of XPath injection attacking XML data. On the basis of the common defense methods proposed by predecessors, a general test model of XPath injection attack is proposed, and the model has universal significance.
Key Words XPath injection attack; defense technology; model
1 XPath injection attack overview
1.1 XPath definition
In recent years, the XML technology has been widely used in modern electronic commerce and shopping malls modern system, and the XPath injection attack technology for XML data information has begun to appear. Injection attack refers to the technique of introducing (or "injecting") code into a computer system with the assumption that it does not enforce or check its input. The purpose of injecting code is usually to bypass or modify the original target function of the program, and if the bypassed functionality involves system security, the result can be catastrophic. While XML information is heavily used, the security of its data is important, but at present few researchers have studied XPath's injection attack defense techniques.
An XPath injection attack is the ability to take advantage of the loose input and fault-tolerant features of an XPath parser, to be able to attach malicious XPath query code to a URL, form, or other information, to gain access to permission information and to change that information. An XPath injection attack is a new attack method applied to a Web service that allows an attacker to get the full content of an XML document through an XPath query without first knowing the relevant knowledge of the XPath query.
1.2 XPath injection attack features
XPath injection attacks take advantage of two techniques, XPath scans and XPath query booleans. This attack allows an attacker to control the XML database used for XPath queries. This attack can be effective against using XPath queries (and XML databases) to perform authentication, lookup, or other operations. XPath injection attacks are similar to SQL injection attacks, but XPath has advantages in the following areas compared to SQL injection attacks.
(1) extensive. XPath injection attacks use XPath syntax, because XPath is a standard language, so whenever a Web application that uses XPath syntax has an XPath injection vulnerability if it does not strictly handle the input of an XPath query, So it's possible to include this vulnerability in all XPath implementations, which is a lot different from SQL injection attacks. The implementation of an injection attack may vary, depending on the SQL language supported by the database during SQL injection attacks.
(2) Great harm. XPath languages can reference almost all parts of an XML document, and such references generally do not have access control restrictions. In SQL injection attacks, however, a "user" 's permissions may be restricted to a particular table, column, or query, while an XPath injection attack can guarantee a complete XML document, the complete database. Automatic attacks for XPath applications can be constructed as long as the Web Service application has a basic security vulnerability.
2 XPath injection attack principle
XPath injection attacks are primarily done by building special inputs, which are often combinations of XPath syntax that pass as arguments to the Web application and perform the actions that the intruder wants by performing an XPath query, as an example of a module in login verification, as shown in The implementation principle of XPath injection attack.
in a Web application's logon verifier, there are typically two parameters for the user name (username) and password (password), and the program performs the authorization operation through the user name and password that the user submits. If the validation data is stored in an XML file, the principle is to authorize access by looking for the results of the user name (username) and password (password) in the username table.
Examples exist user.xml files as follows:
<users>
<user>
<firstname>Ben</firstname>
<lastname>Elmore</lastname>
<loginID>abc</loginID>
<password>test123</password>
</user>
<user>
<firstname>Shlomy</firstname>
<lastname>Gantz</lastname>
<loginID>xyz</loginID>
<password>123test</password>
</user>
The typical query statement in XPath is as follows:
Users/user[loginid/text () = ' xyz ' and password/text () = ' 123test ']
However, you can use the following methods to implement injection attacks that bypass authentication. If the user passes in a login and password, such as loginID = ' xyz ' and password = ' 123test ', the query statement returns TRUE. However, if the user passes in a value similar to ' or 1=1 or ' = ', the query will also get a true return value because the XPath query statement eventually becomes the following code:
Users/user[loginid/text () = ' ' or 1=1 or ' = ' = ' and password/text () = ' or 1=1 or ' = ']
This string logically causes the query to always return true and will always allow attackers to access the system. An attacker can use XPath to manipulate XML documents dynamically in an application. Attack complete login can then get the highest privilege account and other important document information through the XPath blind access technology.
3 XPath injection attack defense technology
Currently there is not much specific XPath attack defense technology, but the SQL injection attack defense technology can be improved and applied to XPath injection attack defense. The specific technical summary is as follows:
(1) The data submitted to the top of the server, the service side of the formal processing of this batch of data before the legality of the submission of data validation.
(2) Check whether the submitted data contains special characters, encode or replace special characters, or delete sensitive characters or strings.
(3) for the error message of the system, with IE error code information replacement, shielding the system itself error messages.
(4) Parameterized XPath queries will need to build an XPath query expression, expressed as a variable, and the variable is not a script that can be executed. The following code can parameterize a query by creating an external file that holds the query:
declare variable $loginID as xs:string external;
declare variable $password as xs:string external;
//users/user[@loginID = $loginID and@password= $password]
(5) through MD5, SSL and other encryption algorithms, for data-sensitive information and in the transmission process encryption, even if some illegal users through illegal methods to obtain packets, see is encrypted information.
4 XPath attack defense model
4.1 XPath attack defense model
based on the characteristics of XPath injection attack technology and the previous XPath injection attack detection and defense techniques, the author builds an optimized XPath attack defense model. As shown in Figure 1, the idea is that all validations are validated on the server side, because client-side validation can be bypassed by methods such as script disabling. When the server receives the data submitted by the client, first detects whether its client's IP is in the injection attack database, if it is the direct output error information, if not the validation contains illegal characters, if the user is the first time to submit illegal information, the output error message, if the user is the second time, The output error message and the IP of the client into the injection attack database, in two days to prohibit the user access, if the information is legitimate, then the user information submitted to the parameter variables, execute a secure query, output results. For the IP information in the attack database, the system is automatically deleted after two days, which prevents the user from being unable to access the legitimate user, and attempts by some malicious users to invade.
Figure 1
Through the verification of this model, the system can automatically carry out intrusion prevention, reduce human detection, save a lot of manpower, the system core code is as follows:
..........................................
Detects whether the client IP is in the XPath injection attack database and, if so, prevents access
Stringaddress=request.getremoteaddr (). toString ();
Stringsqlstring= "SELECT * from Ipinjection whereip= '" +address+ "";
Class.forName ("Sun.jdbc.odbc.JdbcOdbcDriver");
Connectioncn=drivermanager.getconnection ("Jdbc:odbc:test", "sa", "IP");
Statementstmt=cn.createstatement ();
Resultsetrs=stmt.executequery (SqlString);
if (Rs.next ()) {
OUT.PRINTLN ("Illegal users, prohibit access to this system.") ");
Out.close ();
}else{
If IP is not in the attack database, the IP address is valid, then the legality of submitting information is verified.
if (...) {......)
Submits the information legal, then through the parameterized variable form, carries on the inquiry, prevents the bad decision inquiry
Document doc = new Builder (). Build ("Users.xml");
XQuery xquery = new Xqueryfactory (). Createxquery (New File ("
Dologin.xq "));
Map VARs = new HashMap ();
Vars.put ("loginID", username);
Vars.put ("password", password);
Nodes results = Xquery.execute (doc,null,vars). Tonodes ();
for (int i=0 i < results.size (); i++) {
System.out.println (Results.get (i). ToXML ());
}}else{
If the submission is illegal and the client is first committed, the error message is output directly.
int Count=integer.parseint (Session.getattribute ("Count"). ToString ());
if (count==0) {
OUT.PRINTLN ("You have done illegal operation, this system will record your information, such as illegal operation again, this system will lock your IP");
Session.setattribute ("Count", New Integer (count+1));
Out.close ();
}
else{
If the submission is illegal and the client commits the second time, the error message is output directly. And the client IP is entered into the attack database, which prevents the user from entering the system again. Two days after the data is entered, the system is automatically deleted to prevent the user from operating incorrectly, causing the system to be inaccessible.
OUT.PRINTLN ("Illegal users, this system will forbid you to enter.") ");
Sqlstring= "Inser into Ipinjection" (Ip,host,attacktime,username,password,)
VALUES (' +address+ ', ' "+host+" ', ' "+new Date () +" ', ' "+username+" ', ' "+password+ ')";
Stmt.executeupdate (SqlString);
Out.close ();
} } }}
4.2 use method and actual effect
Put all your code in a xpathinjection.jsp file, include it in a file that needs to be validated, and simply modify the code to encapsulate it to verify other information for you. Through the actual test, when the intruder submits some illegal characters in the webpage Fu Da to specify two times, the system will automatically block the IP address to the website access, and will attack the IP address, the attack time, the attacker information writes to the database, has the very good anti-injection attack effect.
5 Concluding remarks
This paper expounds the concept of XPath injection attack, analyzes the principle of XPath injection attack and the related defense technology, and puts forward an automatic defense model according to the characteristics of defensive technology, and gives the corresponding realization, and obtains the very good practical result.
In this paper, the author makes a new point: synthesize the corresponding injection defense technology, put forward an automatic defense model, and give the flow and concrete implementation of the model, which has some practical value for the XPath injection attack defense.
Reference Documents
[1] Boyds,keromytis A. sqlrand:preventing SQL injection attacks. In:j Akobsson M,yung M,zhou J. Eds. Proceedings of the 2ndApplied Cryptography and Network Security (ACNS) conference. Volume 3089 of lecture notesin Computer sci2ence.,springer-verlag,2004. 292~304
[2] Klein,a.: Blind XPath injection. Http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf
[3] Wang Yaehuan, Hu Yun, Ge Jiaxiang. Research on text query in XPath [J]. Computer Engineering, 2007, (11)
[4] Yu Yuping, Liu Xiaoxia, Ches-Joux, Zhang Ming. Research on access control strategy of XML document [J]. Computer Applications and Software, 2008, (03)
[5] Chen Nan, Xue. Implementation and defense of SQL injection attacks. Information security and communication confidentiality, 2005,1:48~50
Draft date: September 1 Modified: September 12
Project of Natural Science Foundation of Nantong University (03040326)