Pages

Sunday, August 21, 2011

WebGoat - XPATH Injection

Solution:

Source code analysis:
check the following code in server side JAVA file (..\WebGoat-5.3_RC1\tomcat\webapps\webgoat\WEB-INF\classes\java\org\owasp\webgoat\lessons\XPATHInjection.java):

String dir = s.getContext().getRealPath("/lessons/XPATHInjection/EmployeesData.xml");
File d = new File(dir);
XPathFactory factory = XPathFactory.newInstance();
XPath xPath = factory.newXPath();
InputSource inputSource = new InputSource(new FileInputStream(d));
String expression = "/employees/employee[loginID/text()='" + username + "' and passwd/text()='" + password + "']";

In normal input such as "Mike/test123", the expression will become:

/employees/employee[loginID/text()='Mike' and passwd/text()='test123']

The server will search XML Data file and return information about Mike.

However, we can see that the username and password are come from user's input without any validation, so here should be the injection point.

Attack process:
Now we conduct any attacking input (as you want) to break its logic, for example:
submit the following input:
username: ' or 1=1 or 'a'='a
password: anything..

Now the XML search logic will become:

/employees/employee[loginID/text()='' or 1=1 or 'a'='a' and passwd/text()='anything..']

the logic is false or true or true and false = true ("and" has higher precedence than "or")
So the server will return all the data in the XML data file.

or we can use the following logic
username: ' or ''='
password: ' or ''='
Now the expression becomes:

/employees/employee[loginID/text()='' or ''='' and passwd/text()='' or ''='']

the logic is false or true and false or true = true ("and" has higher precedence than "or")
So the server still will return all the data in the XML data file.

Reference:
[1] https://www.owasp.org/index.php/XPATH_Injection
[2] http://projects.webappsec.org/w/page/13247005/XPath-Injection

No comments:

Post a Comment