Security research, news and guidance

Injection attacks, its not just SQL!

November 27, 2009  |  Written by Security Ninja  |   Application Security   |   6 Comments

Hi everyone,

I wanted to cover something a bit different in this weeks blog post, specifically I decided to explain an injection based attack that isn’t SQL Injection! The huge amount of press and attention SQL Injection vulnerabilities quite rightly receive often means that other injection based attacks are either unheard of or underestimated. So I decided to give another Injection based attack its 15 minutes of fame today!

I’m going to cover XPath Injection which is very similar to SQL Injection with regards to the vulnerability it exploits (a lack of input validation) and even the methods used to exploit/test for these vulnerabilities is similar as you will see in my examples later on.

Before we jump into the explaining the vulnerability I have included a description of what XPath is below:

“XPath is the result of an effort to provide a common syntax and semantics for functionality shared between XSL Transformations [XSLT] and XPointer [XPointer]. The primary purpose of XPath is to address parts of an XML [XML] document. In support of this primary purpose, it also provides basic facilities for manipulation of strings, numbers and booleans. XPath uses a compact, non-XML syntax to facilitate use of XPath within URIs and XML attribute values. XPath operates on the abstract, logical structure of an XML document, rather than its surface syntax. XPath gets its name from its use of a path notation as in URLs for navigating through the hierarchical structure of an XML document.”

Source: http://www.w3.org/TR/xpath

So in simple terms it is similar to SQL but instead of accessing databases you are acessing XML files.

The image below is a simple example of a website using an XML file called unames.xml to store the usernames and paswords of the website users.

Website using XML to Authenticate Users

The user enters their username and password into the website and clicks the submit button, the site will then execute an XPath query to see if the credentials are valid. The contents of unames.xml would be something similar to this:

unamesxml

If the credentials match the user is authenticated successfully.

If the website fails to validate the user supplied input it is possible to exploit this application in a very similar manner to a website with a SQL Injection vulnerability. When the website wants to check the validity of the users credentials it would execute an XPath query that looks like this:

//unames/user[loginID/text()=‘sninja’ and password/text()=‘secret’]

You can see that the syntax of the query is fairly easy to understand. It is accessing unames.xml and specifically the user node within unames.xml. The second part of the query is looking up the user supplied loginID and password values.

If a malicious user were to use this website they could execute an XPath injection attack against the authentication process as you can see in the image below:

Website using XML to Authenticate Users (Malicious)

The malicious user enters the well known injection test string of ‘ OR 1=1 into our website and in turn this is entered into our XPath query:

//unames/user[LoginID/text()=' ' or 1=1  and password/text()=' ' or 1=1]

This allows the malicious user to access the Ninja Test Site without having a valid username and password because 1=1 always equates to “true”.

SN

This entry was posted on November 27, 2009 at 11:53 am and is filed under Application Security . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 comments   >

  1. Pingback: uberVU - social comments

  2. OreoShake says:

    Is there a ‘PreparedStatement’ish facility for XPath Injection? Or perhaps a library for filtering out the harmful characters?

  3. Security Ninja says:

    Hi there,

    There is something similar to prevent XPath injections, they are called precompiled XPath queries. A good article covering these can be found here:

    http://www.tkachenko.com//archives/000385.html

    SN

  4. Owasp@owasp.org says:

    Escaping! If you can’t parameterize then escape. Try escapeForXpath in OWASP ESAPI.

  5. Pingback: Twitted by m_genova

  6. Pingback: In einem Wort « Erich sieht

Leave a comment

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers