Tuesday, August 23, 2011

Play with XPATH Blind Explorer

xpath-blind-explorer v1.0 was released On the BlackHat_US 2011.

This is automated tool to explore the whole XML content through using XPATH Injection Vulnerability.

check the following links to get more information:

Demo video:


In the demo video, only GET method with one parameter was presented.

How about POST method with multi-parameters?

Let's use it to attack WebGoat XPATH Injection challenge.

Victim:       WebGoat (XPATH Injection Lesson)
Attacker:   Windows with xpath-blind-explorer v1.0

Attacking process:

1, submit the correct/incorrect Username and Password (e.g Mike/test123) to check the difference between responses.

If the username and password is correct, the server will return user's information otherwise will return nothing.
So here we use "468100" as the "true" condition keyword.

2, check source code to find out form's request URL and parameters' name
using firebug, we got the request URL is

The parameter's name:

Username and Password and SUBMIT

3, Configure XPath Blind Explorer as follow:

Use Burp Proxy (listen at localhost, port 8080) to check how the request was created

Add Session cookie in order to pass the authentication with WebGoat server

4, Now we test condition

test "true" condition:

Let's see the request captured by Burp proxy.

The injection code "'%20and%20'1'='1" just appended at the end of all of parameters (which are URL encoded), That means XPath Blind Explorer treat multi-parameter as only one parameter(Blue Username is parameter's name and Red part is value which was URL encoded).

So now, we need to solve two problems:

1, The injection code only be appended at the end of parameters. So we need to change the order of parameters. Let's put the injectable parameter at the end, such as:


2, Because XPath Blind Explorer treat all parameters as only one parameter, so the parameters will be URL encoded including parameter link mark "&" (which is encoded to "%26", but should not be encoded). So we need to replace it back to "&".

Here we use Burp Proxy's function "match and replace", configure it as follow.

Here regex "(%26)" was used to match keyword.

Right now everything is done~ Let's launch it.

Waiting for several minutes, now we got the whole XML file~



  1. they have virus men !!!!

  2. Does this work for url without parameters?

    Eg http:// oldbooks/buy/1237/, 1237 is the point of injection?