Home 0P3N Blog XPath Injection (Part 2)
Ready to Start Your Career?
Create Free Account
By: Multi Thinker
July 8, 2015

XPath Injection (Part 2)

By: Multi Thinker
July 8, 2015
By: Multi Thinker
July 8, 2015
XPath Injection (Part 2) - CybraryThe XML Example DocumentWe'll use the following XML document in the examples below.
<?xml version="1.0" encoding="UTF-8"?><bookstore><book>  <title lang="eng">Harry Potter</title>  <price>76.99</price></book><book>  <title lang="eng">Learning XML</title>  <price>22.95</price></book><book>  <title lang="eng">Learning XPATH</title>  <price>30.20</price></book><book>  <title lang="eng">Learning Secrets of Injections</title>  <price>50.99</price></book><book>  <title lang="eng">Learning Programming</title>  <price>53.45</price></book></bookstore>
 Selecting NodesXPath uses path expressions to select nodes in an XML document. The node is selected by following a path or steps. The most useful path expressions are listed below:
ExpressionDescription
nodename:Selects all nodes with the name "nodename"
/:Selects from the root node
//:Selects nodes in the document from the current node that match the selection no matter where they are
.:Selects the current node
..:Selects the parent of the current node
@:Selects attributes
 Some Basic Xpath ExpressionsIn the table below, we have listed some path expressions and the result of the expressions:
Path ExpressionResult
bookstore:Selects all nodes with the name "bookstore"
/bookstore:Selects the root element bookstoreNote: If the path starts with a slash ( / ) it always represents an absolute path to an element!
bookstore/book:Selects all book elements that are children of bookstore
//book:Selects all book elements no matter where they are in the document
bookstore//book:Selects all book elements that are descendant of the bookstore element, no matter where they are under the bookstore element
//@lang:Selects all attributes that are named lang
 PredicatesPredicates are used to find a specific node or a node that contains a specific value.Predicates are always embedded in square brackets.In the table below, we have listed some path expressions with predicates and the results of the expressions (from w3schools): 
Path ExpressionResult
/bookstore/book[1]:Selects the first book element that is the child of the bookstore element.
/bookstore/book[last()]:Selects the last book element that is the child of the bookstore element
/bookstore/book[last()-1]:Selects all the book elements except the last one that are children of the bookstore element
/bookstore/book[position()<3]:Selects the first two book elements that are children of the bookstore element
//title[@lang]:Selects all the title elements that have an attribute named lang
//title[@lang='eng']:Selects all the title elements that have an attribute named lang with a value of 'eng'
/bookstore/book[price>35.00]:Selects all the book elements of the bookstore element that have a price element with a value greater than 35.00
/bookstore/book[price>35.00]/title:Selects all the title elements of the book elements of the bookstore element that have a price element with a value greater than 35.00
 Selecting Unknown NodesXPath wildcards can be used to select unknown XML elements:
WildcardDescription
*Matches any element node
@*Matches any attribute node
node()Matches any node of any kind
 In the table below, we have listed some path expressions and the results of the expressions:
Path ExpressionResult
/bookstore/*Selects all the child nodes of the bookstore element
//*Selects all elements in the document
//title[@*]Selects all title elements which have any attribute
 Selecting Several PathsBy using the | operator in an XPath expression, you can select several paths.In the table below, we have listed some path expressions and the results of the expressions:
Path ExpressionResult
//book/title | //book/priceSelects all the title AND price elements of all book elements
//title | //priceSelects all the title AND price elements in the document
/bookstore/book/title | //priceSelects all the title elements of the book element of the bookstore element AND all the price elements in the document
 Introduction to Injection in Xpath QueryIf you read the above content, then let us, for example, take a page that takes some input - name and phone number of that user - if that user exists in the XML file. When injecting, we know that for a string type, either single quote or double quote will be used and that we can check by using ' " or ""=" ' for double quote and we can use ' ' or ''=' ' for single quote check. So, whichever works, we'll come to know that it's used internally in the query. Now, let's assume a simple query./root/parent/something[username='our_input_here']/userThe username is extracted after the condition gets the username as input. We know that if we make the condition true using ' or ''=', we'll be able to see the first users details. But then, we want to enumerate with each user one by one. As we know, the position() function choose each node one by one. So, we can use it to enumerate each user one by one. Here we go:
/root/parent/something[username='' or position()=1 or '']/user/root/parent/something[username='' or position()=2 or '']/user/root/parent/something[username='' or position()=3 or '']/user/root/parent/something[username='' or position()=4 or '']/user/root/parent/something[username='' or position()=5 or '']/user
This is how we can enumerate each user one by one:[divider][one_half]Previous: Part 1[/one_half][one_half_last]

Next: Xpath Injection Part 3 (Final)

[/one_half_last]

* some examples used in Part 1 & Part 2 are from the w3schools website *

Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry