Xpath Injection

From WS-Attacks
Revision as of 19:41, 9 October 2015 by L6zi97 (talk) (1 revision imported: Import from WS-Attacks)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Attack description

Xpath is a language used to query certain parts of a XML document. It can be compared to the SQL language used to query databases. Refer to [[1]] for more info on Xpath.

In some cases the parameters within the SOAP Body are directly used as input for an xpath query. If this user input is not validated probably an attacke can modify the Xpath query as he wishes. In the worst case scenario the attacker is able to read out the entire XML document that is queried.

NOTE: Xpath injections are usually more dangerous than SQL injections, since XML documents have no Access Control mechanism.

Attack subtypes

There are no attack subtypes


Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following thinks:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker knows metadata such as the WSDL file.
  3. Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.



Graphic representation of attack

The attack aims at the application logic, performing querys not intended by the developer. AttackedComponent Application.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.



Attack example

Lets assume that a SOAP message delivers a customer ID to the application logic, querying the XML document with all customer information. The application logic than takes the input and forms the following Xpath query: 

//users/custid[123]

Listing 1: Xpath query


Listing 2 shows an example where an user supplied the cutomer id "123". As a result the application will return information about the customer "123" 

//users/custid[123]

Listing 2: Xpath query with example


Listing 2 shows an example where an user supplied the cutomer id "./age>0". As a result the application will return information about every customer in the entire XML document, since every customer has an age > 0. 

//users/custid[./age>0]

Listing 3: Malicious Xpath query


Attack mitigation / countermeasures

Validate every user input used within an Xpath query. Think about every scenario possible. Prohibit as many special characters as possible!


Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.


Categorisation by number of involved parties


Categorisation by attacked component in web service architecture


Categorisation by attack spreading


References

  1. Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
  2. OWASP Foundation. Testing for xml injection. http://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29, January 2010. Accessed 01 July 2010.
  3. Amit Klein. Blind xpath injection. http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf, 2004. Accessed 01 July 2010.
  4. Jan Peters. Use of soa appliances in service-oriented infrascructeres. CAST-Workshop - SOA Security, Juni 2009.
  5. N/A. Protecting enterprise, saas & cloud based applications – a comprehensive threat model for rest, soa and web 2.0. Technical report, Intel Corporation, 2009.
  6. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.
Retrieved from "http://ws-attacks.org/index.php?title=Xpath_Injection&oldid=74"