Saturday, August 8, 2009

XPATH Injection

Getting user input and using it directly for some verification is always dangerous. When developers discuss about injection attacks, they generally talk about SQL Injection.

These injection attacks can be targeted to any query language. One of them is XPATH. XPATH expressions are used to query XML documents. They provide easy way to access the desired contents avoiding loops and programming language specific constructs.

These kind of attacks can be minimized if direct use of user input to formulate a query is avoided. This is because the attacker might inject the malicious information which allow him to pass the authentication.

Let's see how an attacker uses this.

We assume a typical Login form which has two text boxes. txtUserName and txtPassword and a btnLogin button. The user is supposed to provide his credentials and hit Login button for verification.

The user data is maintained in the form of XML.


<users>
<user>
<username>Shujaat</username>
<password>Siddiqi123</password>
</user>
<user>
<username>Rose2009</username>
<password>MyP@ssword765</password>
</user>
...
</users>


Now the XPATH expression constructed for user verification is as follows:

string query = "/Users/User[UserName='" + txtUserName.Text + "' and Password='" + txtPassword.Text + "']"


Now a user can easily pass through the security check if he enters in either of the text boxes data like this:

txtUserName: ' or 1=1 or ''='
OR
txtPassword: ' or 1=1 or ''='

We assume he enters this in the txtUserName and txtPassword is provided with any text e.g: 'shujaat'.

Now the variable query would be assigned with the following string query:
"/Users/User[UserName=' ' or 1=1 or ''='' and Password='shujaat']".

Since this expression would satisfy all nodes in the document. The SelectNodes() method on XMLDocument object would give the list of nodes with all the nodes in the document (Microsoft.net).

The attacker is finally in the system freely! :)

So be careful when you construct XPATH expressions from user data, otherwise...

No comments: