XPath Injection

XPath query are used to fetch data from an XML database, and like SQL it can be vulberable to injection. Similarly to SQL, if an attacker is able to control a value used in a query, (s)he could craft a malicious request to steal extra information from the database. But there is two major differences with SQL. First XPath can only be used to fetch data, so an attacker won't be able to insert or modify entries. And since XPath doesn't implement any system of access control, if you get an injection point, you should be able to recover the whole document.

This training will focus on XPath1, as it is the most commonly found on the internet.
To learn more about the XPath syntax and all the available functions, you can read this guide by Mozilla.


Imagine the following php code for a simple admin login.

We can see that an user supplied pass is injected directly inside the query. This really bad practice make your code vulnerable to XPath injection attack.
This is what the actual query look like after the variable substitution:

Now let's look at what happend when we tried to inject some malicious XPath.

When the $pass is set to admin" or "a"="athe meaning of query change, this is an injection. Here the attacker completly bypass the password check because of the extra or true at the end.
But this is not the only thing an attacker can do in this scenario, by using the merging feature of XPath it is possible to extract anything from the database.

This time, instead of only fetching the usernode, the query will also merge / (the root of the database) to the results.


Now that you know the basics of XPath injection, you can test your skill on our official challenges.