Starting on the name of My god "Allah" the most beneficent the most merciful "XPATH Injection" If you landed this page searching for "SQLi Error based XPATH Injection" which is already posted at XPATH using UpdateXML and XPATH using ExtractValue and obviously this time we will not be discussing on SQL Injection. We are doing the discuss about the real XPATH injection, as we know XPATH is a data manipulation language very much similar to SQL. Using XPATH queries we can enumerate data saved into an XML file. Something which makes both of them different is that unlike SQL, in XPATH we do not have any Access Level which means that one a document is injectable the hackers get his hand on the whole database.

XPATH is used to create quries which allow user to manipulate data inside a XML document. In this tutorial we will start with the basics of XPATH queries to understand them better and later on we will move on the injecting part.

Below is a little introduction to XPATH from w3school to understand the terminology used in XPATH Data Manipulation Language. Just like we need to know what is database, tables, columns, data, queries etc if we want to learn SQL injection, in the same manner we need to understand the basic structures of XML to Inject into XPATH queries

In XPath, there are seven kinds of nodes: element, attribute, text, namespace, processing-instruction, comment, and document nodes.

XML documents are treated as trees of nodes. The topmost element of the tree is called the root element.

Look at the following XML document:

<?xml version="1.0" encoding="UTF-8"?>

<bookstore>
  <book>
    <title lang="en">Harry Potter</title>
    <author>J K. Rowling</author>
    <year>2005</year>
    <price>29.99</price>
  </book>
</bookstore>
Example of nodes in the XML document above:
(root element node)
J K. Rowling (element node)
lang="en" (attribute node)
Atomic values

Atomic values are nodes with no children or parent.

Example of atomic values:
J K. Rowling

"en"

Items

Items are atomic values or nodes.


Relationship of Nodes

Parent

Each element and attribute has one parent.

In the following example; the book element is the parent of the title, author, year, and price:

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>
Children

Element nodes may have zero, one or more children.

In the following example; the title, author, year, and price elements are all children of the book element:

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>
Siblings

Nodes that have the same parent.

In the following example; the title, author, year, and price elements are all siblings:

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>
Ancestors
A node's parent, parent's parent, etc.
In the following example; the ancestors of the title element are the book element and the bookstore element:

<bookstore>

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>

</bookstore>
Descendants

A node's children, children's children, etc.

In the following example; descendants of the bookstore element are the book, title, author, year, and price elements:

<bookstore>

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>

</bookstore>
Now let us move to the Basic queries in XPATH and the most basic type of injection in XPATH queries.

Author : Zenodermus Javanicus
Date : 2014-06-01