Write for Social Science

Every time I went to a party in university and told someone that I studied psychology, at least one person would ask me, “So you can read minds?” Unfortunately, no. Still, there’s a lot of really…

Smartphone

独家优惠奖金 100% 高达 1 BTC + 180 免费旋转




Hacking XML Data

Obtaining illegal data access using XPATH injections

Code injection is a vulnerability with many faces: from SQL injection to OS command injection. These attacks happen because of a common programming mistake: letting user input pollute executable code.

Today, let’s talk about a lesser-known type of code injection: injecting into XPATH queries.

XPATH is a query language used for XML documents. Think SQL for XML.

XPATH provides the ability to navigate around the XML document tree, and select specific elements based on certain criteria.

For example, given an XML document:

The XPATH expression below will select the ids of all employees:

While this XPATH expression will select the names of all employees:

As you can see, XPATH is very similar to SQL in terms of functionality, albeit with a slightly different syntax. The basic syntax of XPATH is kind of like navigating the XML document using a file path.

One major difference between XPATH and SQL is that XPATH is a standard language, and is not implementation-dependent. Whereas SQL has many different SQL dialects like MySQL, MSSQL, PostgreSQL, and SQLite. This difference is significant because it means that exploiting XPATH injection vulnerability is easier and potentially more scalable than exploiting SQL injection vulnerabilities because attackers won’t have to customize their payloads according to the dialect.

XPATH can be used to query and perform operations on data stored in XML documents. For example, XPATH can be used to retrieve salary information of employees stored in an XML document, and can also be used to perform numeric operations or comparisons on that data.

Add a comment

Related posts:

Future in the First

Stepping foot on the freshly cut grass of campus, hearing the chattering of people in the lecture halls, and feeling the rush of a thousand different people going in and out of buildings are the…

Three Reasons to Write in a Journal

Taking these three beliefs together, it is only natural that I am keen on using a journal to navigate life. Let me tell you how journaling has helped me…as I suggest it to you. When I tell a friend…

Old Man and The Speedo

Another grey day breaks against the coast, Shadows of seals bark as slips of white foam Sink into the sand. The beach, empty of conversation, runs north, Returns south like a dog sure Of the…