XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.
We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by Amol Naik )
Sample XML Document which we gonna use:-
<Employees>
<!-- Employees Database -->
<Employee ID="1">
<FirstName>Johnny</FirstName>
<LastName>Bravo</LastName>
<UserName>jbravo</UserName>
<Password>test123</Password>
<Type>Admin</Type>
</Employee>
<Employee ID="2">
<FirstName>Mark</FirstName>
<LastName>Brown</LastName>
<UserName>mbrown</UserName>
<Password>demopass</Password>
<Type>User</Type>
</Employee>
<Employee ID="3">
<FirstName>William</FirstName>
<LastName>Gates</LastName>
<UserName>wgates</UserName>
<Password>MSRocks!</Password>
<Type>User</Type>
</Employee>
<Employee ID="4">
<FirstName>Chris</FirstName>
<LastName>Dawes</LastName>
<UserName>cdawes</UserName>
<Password>letmein</Password>
<Type>User</Type>
</Employee>
</Employees>
We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by Amol Naik )
Sample XML Document which we gonna use:-
<Employees>
<!-- Employees Database -->
<Employee ID="1">
<FirstName>Johnny</FirstName>
<LastName>Bravo</LastName>
<UserName>jbravo</UserName>
<Password>test123</Password>
<Type>Admin</Type>
</Employee>
<Employee ID="2">
<FirstName>Mark</FirstName>
<LastName>Brown</LastName>
<UserName>mbrown</UserName>
<Password>demopass</Password>
<Type>User</Type>
</Employee>
<Employee ID="3">
<FirstName>William</FirstName>
<LastName>Gates</LastName>
<UserName>wgates</UserName>
<Password>MSRocks!</Password>
<Type>User</Type>
</Employee>
<Employee ID="4">
<FirstName>Chris</FirstName>
<LastName>Dawes</LastName>
<UserName>cdawes</UserName>
<Password>letmein</Password>
<Type>User</Type>
</Employee>
</Employees>
Bypass Authentication:-
Browse to the login.php page; here we can see simple login form.
If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:
Username: ' or '1' = '1
Password: ' or '1' = '1