Tuesday, December 20, 2011

XPATH Injection and detection methods

Data can be stored in a XML file instead of an SQL Database.  To sort through complex XML documents, developers created the XPath language. XPath is a query language for XML documents, much like SQL is a query language for databases.  Instead of tables, columns, and rows XML files have nodes in a tree.  And like SQL, XPATH also had the potential for injection issues if queries are not properly sanitized.
XPATH injection is a techniques used to exploit applications that uses XPATH queries from user supplied inputs to navigate around XML documents. The syntax of XPATH has some resembles as SQL query and therefore it is possible to form a SQL query looking query on an XML document using XPATH.
Assume an example that an XML document contains elements by the name user, each of which contains three sub elements – Account, name and password. The below expression yields the account number of the user whose name is “username” and password is “password”.
string(//user[name/text()='username' and
 password/text()='password']/account/text())
If an application uses run-time XPath query construction, embedding unsafe user input into the query, it may be possible for the attacker to inject data into the query such that the newly formed query will be parsed in a way differing from the programmer's intention.
XPATH queries that are dynamically combined with user input may be modified by the user in a way that it is intended for. Below is an example XPATH query that could be used in the LOGIN method.
//users/cusid[username]
A user may attempt to bypass authentication by modifying the XPATH statements to return all users who are greater than 5 years of age.
//users/cusid[./age>5]

Vulnerability detection proposal
If not properly implemented, the Xpath statement lacks the at sign '@', which indicates a parametrized statement, but does have a concatenation operator in the form of a plus sign. '+' So, in order to loosely scan Xpath injections in JAVA we search for:

Compile/evaluation sequence:
/^xpath\.compile$/ and /^xpath\.evaluate$/

Concatenation operator indicating a risk:

/\+/
Combined in regular expression flow:
/xpath\.(compile|evaluate).*('|").*\+.*\+/