Secure Code Warrior - XQuery injection
Download as PPTX, PDF0 likes145 views
XQuery injection is a security vulnerability similar to SQL injection, where unsafe user-supplied input manipulates XML queries, allowing attackers to access unauthorized data or elevate privileges. It occurs when user input is not properly sanitized, which can lead to authentication bypass and data extraction. To prevent such attacks, user input should be filtered or validated, and parameterized queries along with the principle of least privilege should be utilized.
![XQuery Injection
Understanding the security vulnerability
A website uses an XML-
based database for storing
user credentials and
performing authentication.
An attacker manipulates the query in
an attempt to perform XPath
injection and circumvent the
authentication mechanism.
The injected XML is
processed and results
in the attacker being
logged in as admin
The login field results in an XPath
query that verifies the provided
credentials and retrieves the
account privileges.
User:admin' or
'1' = '1
Pass:whatever
Welcome,
Admin!
User: John
Pass: dragon
Authentication
bypass
<?xml version="1.0"
encoding="ISO-8859-1"?>
<users>
<user>
<username>admin</username>
<password>trustno1</password
> <account>admin</account>
</user>
<user>
<username>john</username>
<password>dragon</password>
<account>guest</account>
</user>
</users>
users.xml
string(//user[username/text()=
‘john' and
password/text()=‘dragon']/
account/text())
Guest
string(//user[username/text()=
‘admin' or '1' = '1' and
password/text()=
‘whatever']/account/text())
Admin](https://image.slidesharecdn.com/xqueryinjection-161030130520/85/Secure-Code-Warrior-XQuery-injection-3-320.jpg)
![XQuery Injection
Understanding the security vulnerability
A website’s user base is
contained in an XML
document and can be
searched by entering a
username.
The injected code modifies the
query and causes it to be valid for
every user in the XML file.
As a result of the query, the
attacker receives a list of all
user nodes contained in the
document.
An attacker injects some XML code
to try to modify the query.
<?xml version="1.0"
encoding="ISO-8859-1"?>
<users>
<user>
<uname>admin</uname>
<fname>Jane</fname>
<lname>Doe</lname>
</user>
<user>
<uname>jdoe</uname>
<fname>John</fname>
<lname>Doe</lname>
</user>
</users>
Data extraction
Find user:
jdoe
doc("users.xml")/users/
user[uname=“jdoe"]
uname: jdoe
fname: John
lname: Doe
Find user:
Something"
or ""="
doc("users.xml")/
userlist/user[uname=
"something" or
""=""]](https://image.slidesharecdn.com/xqueryinjection-161030130520/85/Secure-Code-Warrior-XQuery-injection-4-320.jpg)
Secure Code Warrior - XQuery injection
- 1. XQuery Injection Web App Vulnerabilities by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. What is it? XQuery injection is similar to SQL injection, but instead takes place when unsafe user-supplied input is used to query XML data resulting in execution of the input. This type of attack is often called XPath injection as well. What causes it? If user input is not properly sanitized before being used in the XPath query, the user can manipulate the search. What could happen? An attacker could be able to access data that should not be accessible or even elevate his privileges if XML is used for authentication. Opposed to SQL injection, there is no level access control, allowing an attacker to retrieve the entire document. How to prevent it? Sanitize user input through filtering or validation. Use parameterized queries and apply least privilege, such as a read only user.
- 3. XQuery Injection Understanding the security vulnerability A website uses an XML- based database for storing user credentials and performing authentication. An attacker manipulates the query in an attempt to perform XPath injection and circumvent the authentication mechanism. The injected XML is processed and results in the attacker being logged in as admin The login field results in an XPath query that verifies the provided credentials and retrieves the account privileges. User:admin' or '1' = '1 Pass:whatever Welcome, Admin! User: John Pass: dragon Authentication bypass <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <username>admin</username> <password>trustno1</password > <account>admin</account> </user> <user> <username>john</username> <password>dragon</password> <account>guest</account> </user> </users> users.xml string(//user[username/text()= ‘john' and password/text()=‘dragon']/ account/text()) Guest string(//user[username/text()= ‘admin' or '1' = '1' and password/text()= ‘whatever']/account/text()) Admin
- 4. XQuery Injection Understanding the security vulnerability A website’s user base is contained in an XML document and can be searched by entering a username. The injected code modifies the query and causes it to be valid for every user in the XML file. As a result of the query, the attacker receives a list of all user nodes contained in the document. An attacker injects some XML code to try to modify the query. <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <uname>admin</uname> <fname>Jane</fname> <lname>Doe</lname> </user> <user> <uname>jdoe</uname> <fname>John</fname> <lname>Doe</lname> </user> </users> Data extraction Find user: jdoe doc("users.xml")/users/ user[uname=“jdoe"] uname: jdoe fname: John lname: Doe Find user: Something" or ""=" doc("users.xml")/ userlist/user[uname= "something" or ""=""]
- 5. XQuery Injection Realizing the impact XML used for authentication could allow an attacker to log in as another user. A manipulated query could result in data modification or deletion. An attacker could be able to retrieve the entire XML document, resulting in compromised data.
- 6. XQuery Injection Preventing the mistake Never trust user input! Apply application-wide filters or sanitization on all user- provided input. GET and POST parameters, Cookies and other HTTP headers. Apply white-list input validation. Libraries exist in different frameworks. Use a parameterized XPath interface. Use a read only user to perform queries.