Penetration Testing mailing list archives
RE: XPath injection doubt
From: "Andy JKC" <andy () inetconsulting co uk>
Date: Sat, 24 Sep 2005 17:28:20 +0100
As the entire query is likely in [] with Xpath, unlike sql. You get e.g.; (//user[name/text()=' + InsertString + ']) Where the "hi' or 1=1 or 'hey'='hello" string deals with the surrounding ''s, giving you room to inject 1=1 to return a positive. Whereas with e.g.; select * from [table] where username = ' + InsertString + '; The "hi' or 1=1--" string closes the ''s, returns a positive (1=1) and then comments following sql out (--). Hope that helps, Andy. P.S. There's a decent paper at http://www.watchfire.com/resources/blind-xpath-injection.pdf -----Original Message----- From: Anne Beckman [mailto:anne.beckman () gmail com] Sent: 24 September 2005 04:44 To: pen-test () securityfocus com Subject: XPath injection doubt I am learning the XPath injection technique. To bypass authentication, we give a string like: hi' or 1=1 or 'hey'='hello I noticed that the equivalent string in SQL Injection would have been shorter: hi' or 1=1-- I understand that XPath does not have comments, so we cannot use the -- technique to comment out the rest of the query. But how does that additional OR clause with 'hey'='hello solve the problem too? Thank-you, Anne ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- XPath injection doubt Anne Beckman (Sep 24)
- RE: XPath injection doubt Andy JKC (Sep 24)