Penetration Testing mailing list archives
Re: XPath injection doubt
From: "Roshen Chandran" <roshen.chandran () paladion net>
Date: Fri, 30 Sep 2005 10:46:55 +0530
Anne Beckman wrote:
But how does that additional OR clause with 'hey'='hello solve the problem too?
The 3rd OR clause in the attack string makes the password comparison clause irrelevant, much like the way a comment made the AND clause irrelevant in SQL Injection. AND has higher precedence than OR, so the AND clause is first evaluated with 'hey'='hello' and returns false. After that all the OR clauses are evaluated. Notice that 1=1 will always evaluate to true... so the overall condition will evaluate to true even when the password comparison fails. The logic of the string is explained in better detail in this Palisade article: http://palisade.paladion.net/issues/2005Jul/xpath-injection/ Roshen. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: XPath injection doubt Roshen Chandran (Oct 01)