[REVS] Blind XPath Injection
From: SecuriTeam (support_at_securiteam.com)
Date: 05/20/04
- Previous message: SecuriTeam: "[REVS] Cookie Path Best Practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 20 May 2004 17:59:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Blind XPath Injection
------------------------------------------------------------------------
SUMMARY
The linked paper at the bottom describes a Blind XPath Injection attack
that enables an attacker to extract a complete XML document used for XPath
querying, without prior knowledge of the XPath query.
DETAILS
Abstract:
This paper describes a Blind XPath Injection attack that enables an
attacker to extract a complete XML document used for XPath querying -
without prior knowledge of the XPath query. The attack is "complete" since
all possible data is exposed. The attack makes use of two techniques -
XPath crawling, and Booleanization of XPath queries.
Using this attack, it is possible to get hold of the XML "database" used
in the XPath query. This can be most powerful against sites that use XPath
queries (and XML "databases") for authentication, searching, and other
uses.
Compared to the SQL injection attacks, XPath Injection has the following
upsides:
(*) Since XPath is a standard (yet rich) language, it is possible to carry
the attack 'as-is' for any XPath implementation. This is in contrast to
SQL injection where different implementations have different SQL dialects
(there is common SQL language, but it is often too weak).
(*) The XPath language can reference practically all parts of the XML
document without access control restrictions, whereas with SQL, a "user"
(which is a term undefined in the XPath/XML context) may be restricted to
certain tables, columns or queries. So the outcome of the Blind XPath
Injection attack is guaranteed to consist of the complete XML document,
i.e. the complete database.
These results enable an automated attack to fit any XPath based
application provided that it possesses the basic security hole. Indeed,
such proof of concept script was written and demonstrated on various XPath
implementations.
ADDITIONAL INFORMATION
The information has been provided by <mailto:amit.klein@sanctuminc.com>
Amit Klein.
The original article can be found at:
<http://www.sanctuminc.com/pdfc/WhitePaper_Blind_XPath_Injection_20040518.pdf> http://www.sanctuminc.com/pdfc/WhitePaper_Blind_XPath_Injection_20040518.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[REVS] Cookie Path Best Practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
