I found out someone performed ' test" and 1=0] | //* | /*["0") ' on my site, this looks like XPATH since I use XML on my site but what does it actually mean?
Asked
Active
Viewed 47 times
1 Answers
3
This is an XPath injection attack which tried to get all of the nodes in the document recursively (the //* part). To understand, what happened, better go through an example.
Imagine you dynamically construct an XPath expression to search the subnode values by text which is entered by a user. XML document that you use:
<root>
<node>
<subnode>value1</subnode>
<subnode>value2</subnode>
</node>
</root>
And, you have this expression: //node[. = "%s"] where %s is a placeholder for the value entered by a user. A user might enter value1 which would produce //node[. = "value1"] expression which is perfectly safe and would return <subnode>value1</subnode>, okay.
But now, imagine if a user would enter test" and 1=0] | //* | /*["0 query, you would get //node[. = " test" and 1=0] | //* | /*["0"] which is also syntactically correct but, in this case, a user would get all of the nodes including root, node and subnodes accessing what a user was not supposed to access.
Let's break down the //node[. = " test" and 1=0] | //* | /*["0"] expression. The attacker used test" and 1=0] part to get out of the existing condition and make it match nothing adding the 1=0 condition. | means "or" in XPath. The //* would recursively match every node in the document - this is what gives the attacker what he/she was up to. The /*["0 part is needed to keep the expression syntactically correct and balance the quotes.
There are several ways to prevent it from happening, summarized here:
- sanitize/validate the user input. Least you can do is to escape the quotes
- use pre-compiled XPath expressions:
Precompiled XPaths are already preset before the program executes, rather than created on the fly after the user's input has been added to the string. This is a better route because you don't have to worry about missing a character that should have been escaped
- use parameterized XPath expressions:
Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails.
See also:
-
Thanks a lot, any idea's how to make sure this can't happen anymore? – Alex Bouttelgier Apr 28 '16 at 13:37
-
@AlexBouttelgier okay, sure, updated the answer with some more information and links. – alecxe Apr 28 '16 at 13:47
-
Alright thanks, I'm the networking guy so I'll give it to the guy that takes care of the website it's his problem now ;) thanks a lot for helping me I really appreciate it. – Alex Bouttelgier Apr 28 '16 at 20:55