tags:

views:

84

answers:

1
Q: 

implementation of xpath injection attack...

xpath injection is an attack targeting the websites, where xpath queries are built from user supplied data.Here, Attacker can get the entire xml document without the complete knowledge.
How exactly the attack takes place?
How can we implement this attack?

Thank you

+2  A: 

see: http://www.ethicalhacker.net/content/view/185/24/

All injection attacks (including html/javascript injection, sql injection, hql injection) pretty much follow the same principles - basically anywhere you are concatenating user input to a command text, you have the potential for an injection attack.

Besides validating the input as mentioned in the above article, another approach (which might be preferred since it safely allows the use of any characters) would be to encode any user input before using it in an xpath.

Nathan  2010-02-04 19:49:22
So it's just SQL injection only for xpath, and its just because of a lack of 'prepared statements' for xpath queries?
Will  2010-02-04 20:04:30
@Will: essentially, yes. Edited answer to give a bit more detail.
Nathan  2010-02-04 20:12:42
when I read the article, and it said "whitelist allowed characters" I could cry. That didn't get the SQL world very far. Where's the prepared statements approach for xpath? That's enough of a reason not to use xpath.
Will  2010-02-04 20:40:26
@Will: You don't have prepared statement type of stuff for html or javascript either -- that's why they have encoding capabilities. I'm not sure precisely which encoding would be used for xpath - perhaps XML attribute encoding? At any rate, I generally prefer an encoding approach in these type of situations over a whitelisting (or even worse, blacklisting) approach.
Nathan  2010-02-04 21:20:26
but then the xml itself needs to be encoded, right? Only that kind of assumes you control it. If you controlled it, you'd not use XML though...
Will  2010-02-04 21:23:49

related questions

PHP simplexml problem
Is there a good online introduction/overview to XPath 2.0?
Select Element in a Namespace with XPath
Can XPath return only nodes that have a child of X?
What's wrong with my XPath/XML?
What is the correct XPath for choosing attributes that contain "foo"
Number of nodes meeting a conditional based on attributes
Choosing xpath version for .net IIS apps
How do you bind in xaml to a dynamic xpath?
Are .NET 3.5 XPath classes and methods XSLT 2.0 compatible?
Using SQL Server 2005's XQuery select all nodes with a specific attribute value, or with that attribute missing.
Flatten XML to HTML table using XSLT
Get list of XML attribute values in Python
How do get element out of xml file
Getting The XML Data Inside Custom XPath function
xslt and xpath: match conditionally upon current node value
How to load an xml string in the code behind to databound UI controls that bind to the XPath of the XML?
Count Xpaths in XmlSpy
Can XPath match on parts of an element's name?
Can I create a value for a missing tag in XPath?
How do I select an XML-node based on its content?
XPath and Selecting a single node
XPATHS and Default Namespaces
Regex Rejecting matches because of Instr
how to use xpath in python