Tuesday, March 28, 2017
Home / Media / XPath Injection Exploitation

XPath Injection Exploitation

XPath is a query language used to select data from XML data sources. It is increasingly common for web applications to use XML data files on the back-end, using XPath to perform queries much the same way SQL would be used against a relational database.

XPath injection, much like SQL injection, exists when a malicious user can insert arbitrary XPath code into form fields and URL query parameters in order to inject this code directly into the XPath query evaluation engine. Doing so would allow a malicious user to bypass authentication (if an XML-based authentication system is used) or to access restricted data from the XML data source.
source : http://www.rapid7.com/vulndb/lookup/spider-xpath-injection

this video is simple demo of xpath injection exploitation. a tool xpath blind explorer is used in this video to perform attack.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

How to Frankenscript

Features Spoof/fake the mac address for both the WiFi adapter and virtual interface monX. Frankenscript …