XPath Injection
Data stored in XML can be queried via XPath which is similar to SQL conceptually. It is also a query language and is used to locate specific elements in a XML document. There are no access level permissions and it is possible to refer almost any part of an XML document unlike SQL which allows restrictions on databases, tables or columns. XPath injection is a type of attack where a malicious input can lead to un-authorised access or exposure of sensitive information such as structure and content of XML document. It occurs when user’s input is used in the construction of the query string.
Within the http://dvws.local/home.htmlwebpage, the DVWS release number is fetched to display to a user.
The following request is sent to the API to fetch this information
HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin
Access-Control-Allow-Credentials: true
Content-Type: text/html; charset=utf-8
Content-Length: 24
ETag: W/"18-hx3/WRZ37KxqovQX5FdDkW1+uE0"
Date: Sat, 26 Dec 2020 16:57:04 GMT
Connection: close
<release>0.0.1</release>
The information from the above response is fetched from config.xml stored on the local system.The following XPath query is used to fetch this information
"//config/*[local-name(.)='release' and //config//release/text()='" + uservalue + "']"
The logic of this query can be changed using a payload such as 0.0.1' or 1=1 or 'a'='a to fetch all the details within config.xml.
