Scribd Logo
Upload

Welcome to Scribd!

  • © 2018 Caendra Inc. - Hera For Waptv3 - Xpath Injection

    Uploaded by

    Saw Gyi
    53 views13 pages

    Original Title

    12-XPath

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    53 views13 pages

    © 2018 Caendra Inc. - Hera For Waptv3 - Xpath Injection

    Uploaded by

    Saw Gyi

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    © 2018 Caendra Inc.

    | Hera for WAPTv3 | XPath Injection 1


    In these XPath Injection labs, the student can practice attacks techniques to exploit XPath
    injection vulnerability in order to gather sensitive information from the target web
    application.

    Once you are connected in VPN to the lab environment, all the web applications will be
    available at the following URL: http://info.xpath.site/.

    There are three main sections for each type of lab: Video, Lab, Challenges.

    • Video section contains web applications used during video lessons. Therefore, if
    you need any information about the scenario, the attacks and so on, please refer to
    the corresponding video.
    • Labs section contains web application where you can practice the techniques of the
    specific module and have solutions. You can find them later in this manual
    • Challenges labs do not have solutions; otherwise, why call them challenges? If you
    study the course and think like a penetration tester, you will achieve the goal!

    The best tool is, as usual, your brain. Then you may need of:

    • Web Browser
    • Burp Suite
    • XCat
    • XPath Blind Explorer

    Once you have your virtual network ready, configure the following IP address as default
    DNS: 10.100.13.37

    • WINDOWS: change the property of the TAP network device, adding as first DNS
    server of the IP of the server.
    • LINUX: add an entry into /etc/resolv.conf file with the IP address of the server

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 2


    RatAgency is a web application used by employees of an important credit rating agency.
    They can use it to assign a credit rating to any country in the world.

    Employees can access their applications only after authenticating. They can view their
    colleagues’ latest ratings and can consult their own profiles.

    You do not know credentials to login, but you know that the web application is vulnerable
    to XPath injections. You will bypass the authentication system by exploiting this
    vulnerability.

    Finding the XPath injection and exploiting the login form.

    • How to find XPath injections


    • How to use Burp Suite
    • How to exploit an XPath injection vulnerability to bypass a login

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 3


    Deliccio is one of the most famous restaurants in the world. Its European cuisine is one of
    the most appreciated in the UK.

    The restaurant boasts prestigious clients from all over the world, and there are
    reservations months in advance!

    Recently, the restaurant has decided to allow its customers to register online.

    Each customer can book a table and leave any particular information for the reservation.
    The web application stores the reservation in an xml file. Extract all the reservation of the
    day.

    • Burps suite
    • Web Browser
    • XPath Blind Explorer 1.0

    • How to exploit XPath 1.0 Blind Injection


    • How to extract information from an xml file through a blind XPath injection
    • Hot to use XPath Blind Explorer 1.0
    • Hot to craft XPath Blind Explorer requests with Burp Proxy

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 4


    Deliccio is one of the most famous restaurants in the world. Its European cuisine is one of
    the most appreciated in the UK.

    The restaurant boasts prestigious clients from all over the world, and there are
    reservations months in advance!

    Recently, the restaurant has decided to allow its customers to register online.

    Each customer can book a table and leave any particular information for the reservation.
    The web application stores the reservation in an xml file. Extract all the reservation of the
    day.

    • Burps suite
    • Web Browser
    • XPath Blind Explorer 1.0

    • How to exploit XPath 1.0 Blind Injection


    • How to extract information from an xml file through a blind XPath injection with
    multiple parameters
    • Hot to use XPath Blind Explorer 1.0
    • Hot to craft XPath Blind Explorer requests with Burp Proxy

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 5


    Please go ahead, only if you are really stuck or if you have
    completed the labs.

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 6


    You must first find out which parameters are vulnerable to XPath injections and then need
    to exploit them to access the system.

    Tasks you will perform are:

    • Login request identification


    • Finding XPath injections
    • XPath Injection exploitation

    First, you must identify the HTTP request related to the login action itself. This step is a
    critical first step and will give you the information you need later about how the login
    request is made and which parameters are used.

    Enable Burp proxy to intercept all requests sent by the browser and the responses
    returned from the server.

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 7


    Try to perform a login with any username / password. Your goal is simply to analyze the
    HTTP requests and the related responses with Burp proxy, not to actually login.

    For example, you could insert:

    • username: testforlogin
    • password: testpassword

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 8


    Head back over to Burp proxy and take a look at the intercepted request; then, forward it.

    The request is made through an AJAX GET request with the following parameters:

    • username = <inserted username>


    • password = <inserted password>

    Forward the request and wait for a response. The response body contains the string:

    Login Failed

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 9


    You know the parameters of the request: username and password. Now, you should
    check whether either of these parameters is vulnerable to XPath injections.

    Generally, fields like username and password are defined as string types, so you should
    check how the web application reacts when you insert probe data like:

    • '

    In SQL syntax, the apostrophe is used as a string terminator, so it is a simple way to check
    whether a web application is vulnerable.

    Let us try by inserting the apostrophe in both of the inputs (username and password).
    Perform the login action and wait for the intercepted request:

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 10


    Forward the request and wait for a response:

    The response contains an application error. This behavior is different from default
    behavior and occurs only when the attacker inserts the apostrophe in either of the two
    user inputs (username and password). This is enough evidence to show that the web
    application is vulnerable with respect to the username and password parameters.

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 11


    Your next step is to exploit the vulnerability and bypass the authentication system.

    Generally, an XPath authentication query looks like this:

    • //<someNode>…[username='<USERNAME>' and password='<PASSWORD>']

    The expression

    • username='<USERNAME>' and password='<PASSWORD>'

    can be represented as :

    • (A and B)

    where A and B are the two conditions that must both be satisfied for authentication to take
    place.

    Your goal will be to bypass the XPath query, so you need to look for a payload that makes
    the query above always evaluate to TRUE. Note that the XPath language does not allow
    insertion of comments, so you must build a complex logical condition to neutralize the AND
    condition.

    As the injection starting point, you should choose one of the two fields: username or
    password.

    If you choose the username as the injection point you should insert a payload like this:

    ' or 'a'= 'a' or 'a'= 'a

    Let us have a look at why this will work. The XPath query would become:

    • //<someNode>[username='' or 'a'='a' or 'a'= 'a' and password='']

    The expression

    • username='' or 'a'='a' or 'a'= 'a' and password=''

    can be represented logically as:

    (A OR C) OR (D AND B)

    The payload is inserting two new redundant Boolean operators to achieve the above
    schema and evaluate correctly:

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 12


    In an OR comparison, the second condition (D AND B)is checked only if the first (A OR
    C) is FALSE. Since (A OR C) is always TRUE, the second is never checked. As the
    attacker, you have neutralized the AND.

    If you want to use the password as the injection point you should insert a payload like this:

    ' or 'a'='a

    The XPath query would become:

    • //<someNode>[username='' and password='' or 'a'='a']

    The expression

    username='' and password='' or 'a'='a'

    can be represented as:

    (A AND B) OR (C)

    The expression (C) is always TRUE, so the overall query always evaluates to TRUE and
    returns the result you are looking for.

    Now you can bypass the authentication form by inserting the following credentials:

    • username: (empty value)


    • password: ' or 'a'='a

    The web application will now authenticate you as David:

    © 2018 Caendra Inc. | Hera for WAPTv3 | XPath Injection 13

    You might also like