Forum Moderators: open
Here's a classic example of SQL injection. This is a query that checks the existence of a name/password combo. Presumably if this query returns any rows, then the user is authenticated to enter the site or do something.
SELECT * FROM users WHERE name = '[red]John[/red]' AND password = '[red]abc123[/red]']A clever script kiddie can inject some intentional mischief, like this:
SELECT * FROM users WHERE name = '[red]H4x0r'; DROP TABLE users --[/red]' and password = '[red]foo[/red]'SQL databases are vulnerable to SQL injection. If you're storing your data as XML (or via an XML interface), your XML is vulnerable to XPATH Injection. If you don't pasteurize user input used in an XPATH query, a mailicious user can turn a useful XPATH expression into a big security hole.
Say your C#/PHP/Perl code expects to build an XPATH like this:
String(//users[@name='[red]John[/red]' and @password='[red]abc123[/red]']">it may actually be given input like this:
String(//users[@name='[red]H4x0r' OR 1=1 OR 1='[/red]' and @password='[red]foo[/red]']">Depending on what's present in the XML, the end user may be able to sniff out your entire roster of names and passwords. Or your client mailing list. Or some precious config settings. Who knows! They may be able to grab piles of data with a single query, or it might take thousands of automated queries to grab one letter at a time from every node. There are automated hackerware tools that can find+exploit XPATH vulnerabilities quickly and effectively. And if someone is serious about doing some XPATH injection, they'll probably have and use one.
XPATH injection isn't as seemingly powerful as SQL injection; after all SQL has these fantastic methods like DROP and DELETE and UNION and INSERT... it only takes one crack in the wall and an attacker can do whatever they please all over your tables. With XPATH, usually all an attacker can do is read stuff they aren't allowed to read. But in cases where authentication credentials are exposed, that seemingly small vulnerability can suffice to compromise your entire application.
I've worked with XML for many years, and I've been aware of XPATH injection for about half of those years. I do take precautions to pasteurize user-entered input before putting it in an XPATH or SQL command. Perhaps for that reason, I've never actually seen an XPATH injection up close, personally. SQL injection: yes, I've been injected, and it hurt. XPATH? Can't say I've had the misfortune. Or maybe I have been hit and I don't know it because the attacker left no trace except for some strange crap in my logs.
Were you aware of XPATH injection before reading this post?
If so, do you pasteurize your user input to prevent XPATH injection?
Have any of you been burned by XPATH injection?
If so, what did the attacker do?
What were they after, and what did they get?
How might you have prevented it?
Were you aware of XPATH injection before reading this post?
If so, do you pasteurize your user input to prevent XPATH injection?
How might you have prevented it?
2. Presume all input data is suspect.
3. Validate data format as well as data type.
4. Validate data at least server-side, preferably both client-side and server-side, never ever only client-side.
5. Fuzz Test prior to live use.
You will note that all the above requires knowing somewhat one is doing, cut-n-paste coders (the vast majority of webdevs) will remain at risk.
I parse out all programming characters that wouldn't be used in normal names, user IDs or passwords and specific keywords like SELECT, DROP TABLE, etc. so basically all that's left is raw text without any ability to feed in any type of syntactically correct programming language.
FYI, I convert the input string first, unescape all escaped characters, etc.
If you don't, might as well hang a banner on your site "HACK HERE!"
[edited by: incrediBILL at 7:18 pm (utc) on April 19, 2009]
