Home

Xpath Injection.

By secgeeks - Posted on June 19th, 2008
Tagged:  
74
vote

Yesterday I wrote a quick proposal for the Synapse project. Since not everyone has access to the Synapse project, I will share some ideas here from time to time. I started with a proposal on how to detect Xpath vulnerabilities. Since Xpath can be used in combination with every server-side language, it is easy to write a detection flow for most languages. XPath injection attacks are similar to regular SQL injection, it is possible to inject the same kind of vectors as we normally do with a slight difference in ending syntax in most cases. This document proposes a technique on how to find them, it does not include a method in looking around a vulnerability in order to determine if functions are being called, nor variable correlation. This will be incorporated in a later phase since I like to have different levels of detecting vulnerabilities. As such this is to be treated as a loose method in locating Xpath injections. Xpath has no protection for injection, and thus it can be found in many software where programmers do not escape or use parametrized queries.

Xpath affects:

PHP / .NET / JAVA / Ruby

Xpath vulnerable code example for JAVA.

XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
XPathExpression expr = xpath.compile("//users/user[name/text()='"+name+"' 
and password/text()='"+password+"' ]/first/text()");

As you can see, the login and password credentials are not escaped. This means that you can break the query with a single quote sequence: ' or 1=1 or '' = '

Vulnerability detection proposal

If not properly implemented, the Xpath statement lacks the at sign '@', which indicates a parametrized statement, but does have a concatenation operator in the form of a plus sign. '+' So, in order to loosely scan Xpath injections in JAVA we search for:


Compile/evaluation sequence:
/^xpath\.compile$/ and /^xpath\.evaluate$/

Concatenation operator indicating a risk:
/\+/

Combined in regular expression flow:
/xpath\.(compile|evaluate).*('|").*\+.*\+/

Trivia
HealthVault uses Xpath in their Java SDK ;)


Bookmark/Search this post with:
  • Newskicks
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Technorati
  • Icerocket

Trackback URL for this post:

http://www.secgeeks.com/trackback/1862