Professional Documents
Culture Documents
Once you are connected in VPN to the lab environment, all the web applications will be
available at the following URL: http://info.xpath.site/.
There are three main sections for each type of lab: Video, Lab, Challenges.
• Video section contains web applications used during video lessons. Therefore, if
you need any information about the scenario, the attacks and so on, please refer to
the corresponding video.
• Labs section contains web application where you can practice the techniques of the
specific module and have solutions. You can find them later in this manual
• Challenges labs do not have solutions; otherwise, why call them challenges? If you
study the course and think like a penetration tester, you will achieve the goal!
The best tool is, as usual, your brain. Then you may need of:
• Web Browser
• Burp Suite
• XCat
• XPath Blind Explorer
Once you have your virtual network ready, configure the following IP address as default
DNS: 10.100.13.37
• WINDOWS: change the property of the TAP network device, adding as first DNS
server of the IP of the server.
• LINUX: add an entry into /etc/resolv.conf file with the IP address of the server
Employees can access their applications only after authenticating. They can view their
colleagues’ latest ratings and can consult their own profiles.
You do not know credentials to login, but you know that the web application is vulnerable
to XPath injections. You will bypass the authentication system by exploiting this
vulnerability.
The restaurant boasts prestigious clients from all over the world, and there are
reservations months in advance!
Recently, the restaurant has decided to allow its customers to register online.
Each customer can book a table and leave any particular information for the reservation.
The web application stores the reservation in an xml file. Extract all the reservation of the
day.
• Burps suite
• Web Browser
• XPath Blind Explorer 1.0
The restaurant boasts prestigious clients from all over the world, and there are
reservations months in advance!
Recently, the restaurant has decided to allow its customers to register online.
Each customer can book a table and leave any particular information for the reservation.
The web application stores the reservation in an xml file. Extract all the reservation of the
day.
• Burps suite
• Web Browser
• XPath Blind Explorer 1.0
First, you must identify the HTTP request related to the login action itself. This step is a
critical first step and will give you the information you need later about how the login
request is made and which parameters are used.
Enable Burp proxy to intercept all requests sent by the browser and the responses
returned from the server.
• username: testforlogin
• password: testpassword
The request is made through an AJAX GET request with the following parameters:
Forward the request and wait for a response. The response body contains the string:
Login Failed
Generally, fields like username and password are defined as string types, so you should
check how the web application reacts when you insert probe data like:
• '
In SQL syntax, the apostrophe is used as a string terminator, so it is a simple way to check
whether a web application is vulnerable.
Let us try by inserting the apostrophe in both of the inputs (username and password).
Perform the login action and wait for the intercepted request:
The response contains an application error. This behavior is different from default
behavior and occurs only when the attacker inserts the apostrophe in either of the two
user inputs (username and password). This is enough evidence to show that the web
application is vulnerable with respect to the username and password parameters.
The expression
can be represented as :
• (A and B)
where A and B are the two conditions that must both be satisfied for authentication to take
place.
Your goal will be to bypass the XPath query, so you need to look for a payload that makes
the query above always evaluate to TRUE. Note that the XPath language does not allow
insertion of comments, so you must build a complex logical condition to neutralize the AND
condition.
As the injection starting point, you should choose one of the two fields: username or
password.
If you choose the username as the injection point you should insert a payload like this:
Let us have a look at why this will work. The XPath query would become:
The expression
(A OR C) OR (D AND B)
The payload is inserting two new redundant Boolean operators to achieve the above
schema and evaluate correctly:
If you want to use the password as the injection point you should insert a payload like this:
' or 'a'='a
The expression
(A AND B) OR (C)
The expression (C) is always TRUE, so the overall query always evaluates to TRUE and
returns the result you are looking for.
Now you can bypass the authentication form by inserting the following credentials: