Xpath injection attacks

Www.2cto.com: can be combined with this article view: http://www.bkjia.com/Article/200710/19153.html

1. Xpath injection attack Overview
1.1 Xpath Definition
XPath injection attacks use the loose input and fault tolerance features of the XPath parser to attach malicious XPath query code to URLs, forms, or other information, to obtain the permission information and change the information. The XPath injection attack is a new attack method against Web service applications. It allows attackers to obtain the complete content of an XML document through XPath query without knowing the knowledge of XPath query.
1.2 characteristics of XPath injection attacks
XPath injection attacks use two technologies: XPath scan and XPath query Boolean. Through this attack, attackers can control the XML database used for XPath query. This attack can effectively deal with the use of XPath queries (and XML databases) for identity authentication, search, or other operations. XPath injection attacks are similar to SQL injection attacks, but compared with SQL injection attacks, XPath has advantages in the following aspects.
(1) extensiveness. XPath injection attacks use the XPath syntax. Because XPath is a standard language, therefore, as long as the Web application that uses the XPath syntax does not strictly process the entered XPath query, there will be an XPath injection vulnerability. Therefore, this vulnerability may be included in all XPath implementations, this is very different from SQL injection attacks. In the process of SQL injection attacks, the implementation of the injection attacks may vary according to the SQL languages supported by the database.
(2) high hazard. The XPath language can reference almost all parts of an XML document. Such a reference generally has no access control restrictions. However, in SQL injection attacks, the permissions of a "user" may be restricted to a specific table, column, or query. XPath injection attacks can ensure a complete XML document, that is, the complete database. As long as Web service applications have basic security vulnerabilities, automatic attacks against XPath applications can be constructed.
2. Xpath injection attack principles
XPath injection attacks mainly involve the construction of special inputs, which are often a combination of XPath syntax. These inputs will be passed into the Web application as parameters, execute the operations that intruders want by executing the XPath query. The following uses the login verification module as an example to describe the implementation principle of the XPath injection attack.
In the login verification program of Web applications, there are generally two parameters: username and password. The program will perform authorization by using the user name and password submitted by the user. If the verification data is stored in an XML file, the principle is to perform authorized access by searching the username and password in the user table, for example, user. the xml file is as follows:
 
<Users>
<User>
<Firstname> Ben </firstname>
<Lastname> Elmore </lastname>
<LoginID> abc </loginID>
<Password> test123 </password>
</User>
<User>
<Firstname> Shlomy </firstname>
<Lastname> Gantz </lastname>
<LoginID> xyz </loginID>
& Lt; password & gt; 123 test & lt;/password & gt;
</User>
 
The typical query statements in XPath are as follows:
 
// Users/user [loginID/text () = 'xyz' and password/text () = '123test']
 
However, the following methods can be used to launch injection attacks and bypass authentication. If the user passes in a login and password, for example, loginID = 'xyz' and password = '123test', the query statement returns true. However, if you pass in a value similar to 'or 1 = 1 or ''=', the query statement returns true because the XPath query statement will eventually become the following code:
 
// Users/user [loginID/text () = ''or 1 = 1 or'' = ''and password/text () = ''or 1 = 1 or'' = '']
 
This string will logically enable the query to always return true and allow attackers to access the system. Attackers can use XPath to dynamically operate XML documents in applications. After the attack is completed, you can use the XPath blind access technology to obtain the highest-permission account and other important document information.


From Ay shadow's blog