XPATH injection
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
Info about how to make queries: https://www.w3schools.com/xml/xpath_syntax.asp
Basic Syntax
Nodes
Expression
Description
nodename
Selects all nodes with the name "nodename"
/
Selects from the root node
//
Selects nodes in the document from the current node that match the selection no matter where they are
.
Selects the current node
..
Selects the parent of the current node
@
Selects attributes
Examples:
Path Expression
Result
bookstore
Selects all nodes with the name "bookstore"
/bookstore
Selects the root element bookstoreNote: If the path starts with a slash ( / ) it always represents an absolute path to an element!
bookstore/book
Selects all book elements that are children of bookstore
//book
Selects all book elements no matter where they are in the document
bookstore//book
Selects all book elements that are descendant of the bookstore element, no matter where they are under the bookstore element
//@lang
Selects all attributes that are named lang
Predicates
Path Expression
Result
/bookstore/book[1]
Selects the first book element that is the child of the bookstore element.Note: In IE 5,6,7,8,9 first node is[0], but according to W3C, it is [1]. To solve this problem in IE, set the SelectionLanguage to XPath:
In JavaScript: xml.setProperty("SelectionLanguage","XPath");
/bookstore/book[last()]
Selects the last book element that is the child of the bookstore element
/bookstore/book[last()-1]
Selects the last but one book element that is the child of the bookstore element
/bookstore/book[position()<3]
Selects the first two book elements that are children of the bookstore element
//title[@lang]
Selects all the title elements that have an attribute named lang
//title[@lang='en']
Selects all the title elements that have a "lang" attribute with a value of "en"
/bookstore/book[price>35.00]
Selects all the book elements of the bookstore element that have a price element with a value greater than 35.00
/bookstore/book[price>35.00]/title
Selects all the title elements of the book elements of the bookstore element that have a price element with a value greater than 35.00
Unknown Nodes
Wildcard
Description
*
Matches any element node
@*
Matches any attribute node
node()
Matches any node of any kind
Examples:
Path Expression
Result
/bookstore/*
Selects all the child element nodes of the bookstore element
//*
Selects all elements in the document
//title[@*]
Selects all title elements which have at least one attribute of any kind
Example
Authentication Bypass
Example of queries:
OR bypass in user and password (same value in both)
Abusing null injection
Double OR in Username or in password (is valid with only 1 vulnerable field)
IMPORTANT: Notice that the "and" is the first operation made.
String extraction
The output contains strings and the user can manipulate the values to search:
Blind Explotation
Get length of a value and extract it by comparisons:
Example:
References
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection
Last updated