AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

XPath Injection

The attacker can inject unauthorized partial XPath query strings and steal information, such as tokens or the whole XML itself

Severity

Critical

Fix Cost

Low

Trust Level

High

Using path expressions XPath acts as a query language for XML document lookups. It contains a set of functions for more simple to more complex queries.

Let the backend code is similar to the following snippet;

                            
XmlDocument XmlDoc = new XmlDocument();
XmlDoc.Load("books.xml");

XPathNavigator nav = XmlDoc.CreateNavigator();
String xPath = "//book/title[text()='" +  Request["title"]+ "']/text()";

XPathExpression e = nav.Compile(xPath);
nodeSet = (XPathNodeIterator)nav.Evaluate(e);
            
            

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two piece of information (code and data) apart, until the runtime. In the above code, mixing the data, as title coming from the user, and code, as the partial XPath filter in the program, result in XPath injection. The attacker can potentially manipulate the XPath query and access the information that he can’t access otherwise.

For example, by sending XML' or '2' > '1 as Request["title"] the attacker may access every book in the target XML document that he can’t access otherwise.

Using path expressions XPath acts as a query language for XML document lookups. It contains a set of functions for more simple to more complex queries.

Let the backend code is similar to the following snippet;

            
try{
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
InputStream inputStream = servletContext.getResourceAsStream("/WEB-INF/books.xml");
Document doc = builder.parse(inputStream);

XPath xpath = XPathFactory.newInstance().newXPath();
String filter = "//book[starts-with(title,'" + title + "')]";
XPathExpression xl = xpath.compile(filter);
NodeList nodeList = (NodeList) xl.evaluate(doc, XPathConstants.NODESET);
    
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
...
            
        

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two piece of information (code and data) apart, until the runtime. In the above code, mixing the data, as title coming from the user, and code, as the partial XPath filter in the program, result in XPath injection. The attacker can potentially manipulate the XPath query and access the information that he can’t access otherwise.

For example, by sending XML' or '2' > '1 as request.getParameter("title"), the attacker may access every book in the target XML document that he can’t access otherwise.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!