Ethical Hacking and Penetration Testing Guide


Authentication Bypass Using XPATH Injection



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə200/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   196   197   198   199   200   201   202   203   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

Authentication Bypass Using XPATH Injection
Over the recent years, the number of websites using an XML database has increased, providing an 
attacker an additional attack vector. XPATH injection is an attack where an attacker injects xpath 
queries to bypass the log-in mechanism by making the overall statements true. XPATH is a standard 
way of querying XML databases. It’s similar to SQL queries used to query mysql and mssql databases.
Testing for XPATH Injection
Bypassing an authentication with xpath injection is a bit more difficult than SQL injection. The 
reason is that there are no comments in XPATH; therefore, we cannot comment out the rest of the 
statement to make it true. We will have to satisfy the two conditions:
Step 1
—We have a form that we need to test for an XPATH injection. We will simply submit 
an apostrophe (‘) via the input parameters and look for an error:


334
◾ 
Ethical Hacking and Penetration Testing Guide
We get an error saying our XPath query was not processed properly. This indicates that 
there are chances the log-in form would be vulnerable to Xpath injection.
Step 2
—Since, as mentioned before, we need to make sure that our statement is true, we would 
insert the following true statements in the inputs.
Login: ' or '1' = '1
Password: ' or '1' = '1
The overall query becomes true, and we can successfully bypass the log-in form.
Authentication Bypass Using Response Tampering
Sometimes, it’s possible to tamper the responses of the application to access protected data that 
are usually not accessible by a normal user. This vulnerability is also known as “Failure to restrict 
URL access” and secures a spot in OWASP top 10 for 2010.
Crawling Restricted Links
The best way of finding this vulnerability is by crawling all the pages of a particular website and 
taking note of all the restricted links not accessible by normal users. Acunetix web vulnerability 
scanner has a great crawler that you can use; alternatively, burp suite’s spider feature is a great way 
to crawl a website for pages that are not publicly accessible.
To use the burp spider effectively, we first need to set the scope to crawl our defined target 
only. To set the scope, simply copy the url and click on “Paste URL”, and burp would adjust the 
settings automatically.
Next, we right click the place where we want to spider from and click on “Spider this branch” 
if it’s a branch or “Spider from here” if it’s a webpage.


Web Hacking
◾ 

Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   196   197   198   199   200   201   202   203   ...   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin