Authentication Bypass Using XPATH Injection
Over the recent years, the number of websites using an XML database has increased, providing an
attacker an additional attack vector. XPATH injection is an attack where an attacker injects xpath
queries to bypass the log-in mechanism by making the overall statements true. XPATH is a standard
way of querying XML databases. It’s similar to SQL queries used to query mysql and mssql databases.
Testing for XPATH Injection
Bypassing an authentication with xpath injection is a bit more difficult than SQL injection. The
reason is that there are no comments in XPATH; therefore, we cannot comment out the rest of the
statement to make it true. We will have to satisfy the two conditions:
Step 1
—We have a form that we need to test for an XPATH injection. We will simply submit
an apostrophe (‘) via the input parameters and look for an error:
334
◾
Ethical Hacking and Penetration Testing Guide
We get an error saying our XPath query was not processed properly. This indicates that
there are chances the log-in form would be vulnerable to Xpath injection.
Step 2
—Since, as mentioned before, we need to make sure that our statement is true, we would
insert the following true statements in the inputs.
Login: ' or '1' = '1
Password: ' or '1' = '1
The overall query becomes true, and we can successfully bypass the log-in form.
Authentication Bypass Using Response Tampering
Sometimes, it’s possible to tamper the responses of the application to access protected data that
are usually not accessible by a normal user. This vulnerability is also known as “Failure to restrict
URL access” and secures a spot in OWASP top 10 for 2010.
Crawling Restricted Links
The best way of finding this vulnerability is by crawling all the pages of a particular website and
taking note of all the restricted links not accessible by normal users. Acunetix web vulnerability
scanner has a great crawler that you can use; alternatively, burp suite’s spider feature is a great way
to crawl a website for pages that are not publicly accessible.
To use the burp spider effectively, we first need to set the scope to crawl our defined target
only. To set the scope, simply copy the url and click on “Paste URL”, and burp would adjust the
settings automatically.
Next, we right click the place where we want to spider from and click on “Spider this branch”
if it’s a branch or “Spider from here” if it’s a webpage.
Web Hacking
◾
Dostları ilə paylaş: |