On authentication, the developer builds an Xpath expression this way:
The txtUserName and txtPassword variables are standard ASPX textboxes. When the attacker inserts an expression with an apostrophe (') to one of the textboxes, the attacker terminates the string and is able to write his own XPath expression. The scenario is basically the same as with SQL injection.
What can XPath injection attack do
An attacker can get, modify or delete anything stored in the given XML file.
Finding XPath injection vulnerabilities
The first technique is based on trying. Try to insert strings like:
- 'whatever – basic test
to all inputs/URL parameters/whatever. If you see any error related to classes which provide manipulation with XMLs in ASP.NET, you have probably found an XPath injection threat.
The second way is to search for vulnerabilities in code. You can search for the following strings:
- Xpath – many classes which work with XPath have the 'xpath' string in their name.
- SelectSingleNode() and SelectNodes() – methods used in Kentico CMS for getting data from XML files via XPath.
Avoiding XPath injection in Kentico CMS
We do not store sensitive data in XML files in Kentico CMS at the moment. We also do not have any code where an XPath expression is built as described in the provided example. But this may change in the future. You can avoid XPath injection by following these rules:
- Validate input from external sources before you put it into XPath expressions.
- For characters like ', <, >, etc., use replace entities. "'" is a replace entity for an apostrophe.