XPath is what happens when XML guys get jealous of SQL and invent their own query language too. The good news (for hackers) is that XPath has an all-or-nothing connotation, if you get some access, you get it all! Sorry XML people, this is what happens when you try to make a standard do too much. XPath, unlike SQL, lacks granular access control, so there are no tiers of privilege to navigate between, and if you can enumerate one character, you know you are able to capture all of them. Hopefully these tradeoffs are understood by our target's developers, and protection via other means is put into place to prevent access or validate all transactions.
XPath injections are pretty straightforward once you have that basis in SQLI. We're looking for escape characters that either expose the logic or, better yet, give us full up access. Let's first head into the Broken Web App's (BWAPP) XML/XPath Injection (Login Form) bug page and bring up our portal, which I show how to find in following screenshot. This VM is included in the same OWASP BWA we've been using all along. You have probably noticed as much, but to state the obvious, the OWASP BWA VM is the single, most important training tool outside of Kali itself, and it is free!
Finding the Broken Web App XPath Injection Page
We can test for a lack of input validation for potential XPath injection if we just use our single quote character again and observe any errors (as shown in the following screenshot):
Error indicating XPath Injection possible
Instead of the ' or 1=1 -– string we saw in SQL, we're going to use the XPath variant of ' or '1'='1 in both the Login and Password fields, which tells the XPath query please look for this escape character, because 1 equals 1 and so we are legit! We'd hope validation is being done to sanitize these inputs, but it is mind-boggling how many servers will kick back a login success like the one following when using this string in the following screenshot:
Logged in using XPath Injection
This process is great to understand using just a browser, but you can also do so much more when you let a tool help. Recon-ng is a fantastic CLI tool that provides a menu structure similar to Metasploit or Websploit that, together with the xpath_bruter module (wonderfully managed by Tim Tomes), helps automate the delivery of Blind XPath injection payloads for enumeration of a host. We'll buddy up with Burp Suite too, so that we can harvest the inputs we'll need. So enable proxies, strap in, and prepare to dominate the BWAPP! Let's look first at what recon-ng needs from us in the following screenshot:
Recon-ng's XPath_Bruter Module
Let's assume we are OSINT ninjas, and maybe we did a little social engineering and found out that Thor is a user and he has the rather naïve password of Asgard. We can use this single set of credentials to set up our Blind XPath injection. From the show options command's output preceding, you can see we'll need a couple of things to get started. The following screenshot highlights most of the required fields for us.
Our Burp Suite Capture to seed Recon-NG
First of all, we'll grab the BASE_URL (in red). Then you'll need the parameters field, which is the piece of a URL string we're going to brute-force to enumerate the data (in green).
We'll use the login parameter to toggle between true and false. Assuming you are able to intercept all of the requests now, you should see that this portal uses an HTTP GET message to submit queries (as seen in blue), which consequently means that the query is embedded
Recon-ng's XPath-Bruter module is going to want to know all of this, and it is also going to want to know how we tell a true and false apart (the string variable). So if I type what I know to be true credentials (our true condition) I get back Thor's secret message, so I can use the word Earth as my string. If I do a boolean and condition with a known false (1 most certainly doesn't equal 2 at the time of this book's writing), that string will not show up.
So let's input those variables, take Burp and our proxy configuration out of the loop, and execute our Brute-Force attack! What we'll see enumerated within minutes is seen in the following screenshot: the entire contents of the heroes.xml file containing all user accounts:
You will find that other injection tools very much follow a similar approach. Detection techniques center around the trial-and-error process of finding strings that can help expose the flaws, while exploits (in ethical hacking) are usually focused on enumeration. Black hat hackers may use some of these tools for actual corruption, manipulation, or destruction of the data, but they are normally using custom Python or Ruby scripts to execute these malicious attacks, or leveraging frameworks offered on the Dark Web. One of the better tools for more advanced CLI-based injection testing is Wapiti (http://wapiti.sourceforg e.net/) as it can help in both SQL and XPath injection with a massive number of command line switches, options, and use cases supported.