Lesser Known Injections
XML Injections
AMol NAik
About me
Web Application PentesterCore member of
Garage4HackersBounty Hunter in
pastCurrently fuzzing browsers for Fun &
Profit
Garage4Hackers
Family of 3,800, posts 8k+40+ best Bug Bounty submissions15+
browser bugs in Chrome, IE, FF & SafariASLR bypass method
presented at CanSecWest was already shared on G4H forum5+
Information Security Research (cable TV & Datacard)10+ Tools
& scripts, 1+ Web application CTFRanchhoddas Webcast Series
– 5+ webinarsFollow us on Twitter @garage4hackers
Agenda
XML BasicXML InjectionXXE AttackXPath
BasicsXPath Injections
XXE is a the new SQL Injection
- Someone on Twitter
XML Injection in Real-World
Yandex pwned for $5000 with XXE by
@d0znppOpenID XXE by Reginaldo
SilvaMultiple XXE bugs by @Securatary
teamXXE in Google Toolbar by Detectify team
- $10k
XML Basics
XML Basics
eXtensible Markup LanguageFlexible textbased formatPresents structured infoUsed
for Data Exchange/Storage
XML Components
XML – CDATA Section
Tells parser not to use markup for characters
in this sectionExamples:
XML Injections
XML Injections
Injection Points
XML Injection – Node Attribute
XML Injection – Node Attribute
XML Injection – Node Value
XML Injection – Node Value
XML Injection – CDATA Section
XML Injection – CDATA Section
XXE Attack
XML Entity
VariableDefine Can be Internal/External
XML Entity
XXE Attack
XPath Basics
Language to select XML NodesFormats XML
data as tree-structured valuesSimilar as SQL
(in some sense)
XPath Syntax
Uses path expressions to select nodes or
node-sets in an xml document
Expression
Description
nodename
Selects all child nodes of the named node
/
Selects from root node
//
Selects nodes from the current node that match the selection
no matter where they are
.
Selects current node
..
Selects parent of the current node
XPath Predicates
Used to find a specific node or a node that
contain specific value.Always embedded in
square brackets
XPath Predicates
Expression
Result
/Employees/Employee[1]
Selects first ‘Employee’ element that is the child
of ‘Employees’ element
/Employees/Employee[last()]
Selects last ‘Employee’ element that is the child
of ‘Employees’ element
/Employees/Employee[position()<3]
Selects first 2 ‘Employee’ elements that are
children of Employees element
//Employee[@ID=‘1’]
Selects all the ‘Employee’ elements that have an
attribute named ‘ID’ with a value of ‘1’
XPath Location Path
Syntax: axisname::nodetest[predicate]
XPath Location Path
Example
Result
child::Employee
Selects all ‘Employee’ node that are children of the
current node
attribute::id
Selects the id attribute of the current node
child::*
Selects all children of the current node
attribute::*
Selects all attributes of the current node
child::text()
Selects all text child nodes of the current node
child::node()
Selects all child nodes of the current node
descendant::Employees
Selects all ‘Employees’ descendants of the current node
XPath Injection
XPath
Query:/Employees/Employee[UserName/text()
= ‘user’ and Password/text() =
‘passwd’]/Type/text()
XPath Injection
No UserName & Password known:
XPath Injection
UserName
known:/Employees/Employee[UserName/text()
= ‘mbrown’ or ‘1’=‘1’ and Password/text()
= ‘anything’]Type/text()
XPath Injection
No UserName & Password known & Password is
not vulnerable:
Conclusion
XML Injections are ignoredMany sites having
these issues
That's It !!
AMol NAik
@amolnaik4
mailto: amolnaik4@garage4hackers.com
References
XPath InjectionHacking XPath 2.0Blind XPath
Injection