-
Notifications
You must be signed in to change notification settings - Fork 105
Test 7) XPATH Injection
Yalçın YOLALAN edited this page Mar 28, 2018
·
2 revisions
Vulnerability Type Dynamic
Test Web Service URI http://[yourhostName]/XPATH.asmx?WSDL
Vulnerable Code Block his method takes username and password as parameters and makes authentication check using XML file containing user accounts. It does not validate/sanitize both the username and password parameters.
public string LoginMeFromXMLFile(string username, string pwd)
{
string xml = @"<?xml version=""1.0"" encoding=""utf-8""?>
<Employees>
<Employee ID=""1"">
<FirstName>Arnold</FirstName>
<LastName>Baker</LastName>
<UserName>ABaker</UserName>
<Password>SoSecret</Password>
<Type>Admin</Type>
</Employee>
<Employee ID=""2"">
<FirstName>Peter</FirstName>
<LastName>Pan</LastName>
<UserName>PPan</UserName>
<Password>NotTelling</Password>
<Type>User</Type>
</Employee>
</Employees>";
XmlDocument document = new XmlDocument();
document.LoadXml(xml);
string xpathExpr = "//Employee[UserName/text()='" + username + "' and Password/text()='" + pwd + "']";
XmlNode node = document.SelectSingleNode(xpathExpr);
if (node != null)
{
return "Login Success";
}
else
{
return "Username or password is incorrect";
}
}
Attack Payload 1' or 1=1
Vulnerable Method Name LoginMeFromXMLFile
Vulnerable Parameter Name username and pwd
Response
System.Xml.XPath.XPathException: '//Employee[UserName/text()='1' or 1=1' and Password/text()='A']' has an invalid token. Incorrect syntax near ''.
Indications of Vulnerability
Web server returned: Http status code is 500 (i.e. Internal Error).
Attack payload causes getting XPATH exception. This behaviour indicates that error based XPATH Injection vulnerability’s probability is high.
- Home
- Installation
- Usage
- Default Parameter Values
- Scope
- Donation
-
Testing Activities
- XML Bombs
- External Entity Attacks
- Insecure Communication
- Insufficient Authentication Test
- Cross Site Scripting
- SQL Injection
- XPATH Injection
- Verbose SOAP Fault Message
- Weak WS-SecurityPolicy: Insecure Transport
- Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
- Weak WS-SecurityPolicy: Tokens Not Protected
- Weak XML Schema: Undefined Namespace
- Weak XML Schema: Unbounded Occurrences