Xpath is a language used to query certain parts of a XML document. It can be compared to the SQL language used to query databases. Refer to [] for more info on Xpath.
In some cases the parameters within the SOAP Body are directly used as input for an xpath query. If this user input is not validated probably an attacke can modify the Xpath query as he wishes. In the worst case scenario the attacker is able to read out the entire XML document that is queried.
NOTE: Xpath injections are usually more dangerous than SQL injections, since XML documents have no Access Control mechanism.
There are no attack subtypes
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following thinks:
- Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
- Attacker knows metadata such as the WSDL file.
- Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.
Graphic representation of attack
- Red = attacked web service component
- Black = location of attacker
- Blue = web service component not directly involved in attack.
Lets assume that a SOAP message delivers a customer ID to the application logic, querying the XML document with all customer information. The application logic than takes the input and forms the following Xpath query:
Listing 1: Xpath query
Listing 2 shows an example where an user supplied the cutomer id "123". As a result the application will return information about the customer "123"
Listing 2: Xpath query with example
Listing 2 shows an example where an user supplied the cutomer id "./age>0". As a result the application will return information about every customer in the entire XML document, since every customer has an age > 0.
Listing 3: Malicious Xpath query
Attack mitigation / countermeasures
Validate every user input used within an Xpath query. Think about every scenario possible. Prohibit as many special characters as possible!
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
Categorisation by attack spreading
- Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
- OWASP Foundation. Testing for xml injection. http://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29, January 2010. Accessed 01 July 2010.
- Amit Klein. Blind xpath injection. http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf, 2004. Accessed 01 July 2010.
- Jan Peters. Use of soa appliances in service-oriented infrascructeres. CAST-Workshop - SOA Security, Juni 2009.
- N/A. Protecting enterprise, saas & cloud based applications – a comprehensive threat model for rest, soa and web 2.0. Technical report, Intel Corporation, 2009.
- Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.