XPath Injection (Part 1)

July 1, 2015 | Views: 3090

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

XPath is used to create queries which allow users to manipulate data inside a XML document. In this tutorial, we’ll start with the basics of XPath queries to understand them better. Later on, we’ll move onto the injecting part.

Below is a little introduction to XPath from the w3school to understand the terminology used in XPath  Data Manipulation Language. Just as we need to know what a database is (tables, columns, data, queries, etc.) if we want to learn SQL injection, we need to understand the basic structures of XML to Inject into XPath queries

In XPath, there are seven kinds of nodes:

  1. element
  2. attribute
  3. text
  4. namespace
  5. processing-instruction
  6. comment
  7. document

XML documents are treated as trees of nodes. The topmost element of the tree is called the root element.

Look at the following XML document:

<?xml version="1.0" encoding="UTF-8"?>

<bookstore>
  <book>
    <title lang="en">Harry Potter</title>
    <author>J K. Rowling</author>
    <year>2005</year>
    <price>29.99</price>
  </book>
</bookstore>

 

Example of nodes in the XML document above:

(root element node)
J K. Rowling (element node)
lang="en" (attribute node)

Atomic values

Atomic values are nodes with no children or parent

Example of atomic values:

J K. Rowling

"en"

Items

Items are atomic values or nodes.


Relationship of Nodes

Parent

Each element and attribute has one parent.

In the following example, the book element is the parent of the title, author, year, and price:

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>

 

Children

Element nodes may have zero, one or more children.

In the following example, the title, author, year, and price elements are all children of the book element:

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>

 

Siblings

Nodes that have the same parent.

In the following example, the title, author, year, and price elements are all siblings:

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>

 

Ancestors
A node’s parent, parent’s parent, etc.

In the following example, the ancestors of the title element are the book element and the bookstore element:

<bookstore>

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>

</bookstore>

 

Descendants

A node’s children, children’s children, etc.

In the following example. descendants of the bookstore element are the book, title, author, year, and price elements:

<bookstore>

<book>
  <title>Harry Potter</title>
  <author>J K. Rowling</author>
  <year>2005</year>
  <price>29.99</price>
</book>

</bookstore>

Next: Xpath Injection Part 2

* Some examples used throughout this 3 part Xpath Injection series are from the w3schools website. *

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. what is the XPL ?
    pls help me i new here

  2. Thumbs up

  3. Nice One

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel