lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 May 2004 13:54:45 +0300
From: Amit Klein <amit.klein@...ctuminc.com>
To: bugtraq@...urityfocus.com
Subject: A new Sanctum paper: "Blind XPath Injection"


I'm happy to announce a new paper from Sanctum, titled
"Blind XPath Injection", written by yours truly. The paper can be
downloaded here:

http://www.sanctuminc.com/pdfc/WhitePaper_Blind_XPath_Injection_20040518.pdf

Below I copy the paper abstract:

This paper describes a Blind XPath Injection attack that enables an
attacker to extract a complete XML document used for XPath querying -
without prior knowledge of the XPath query. The attack is "complete"
since all possible data is exposed. The attack makes use of two
techniques – XPath crawling, and Booleanization of XPath queries.

Using this attack, it is possible to get hold of the XML "database"
used in the XPath query. This can be most powerful against sites that
use XPath queries (and XML "databases") for authentication,
searching, and other uses.

Compared to the SQL injection attacks, XPath Injection has the
following upsides:

(*) Since XPath is a standard (yet rich) language, it is possible to
carry the attack 'as-is' for any XPath implementation. This is in
contrast to SQL injection where different implementations have
different SQL dialects (there is acommon SQL language, but it is
often too weak).

(*) The XPath language can reference practically all parts of the XML
document without access control restrictions, whereas with SQL, a
"user" (which is a term undefined in the XPath/XML context) may be
restricted to certain tables, columns or queries. So the outcome of
the Blind XPath Injection attack is guaranteed to consist of the
complete XML document, i.e. the complete database.

These results enable an automated attack to fit any XPath based
application provided that it possesses the basic security hole.
Indeed, such pr oof of concept script was written and demonstrated
on various XPath implementations.


Thanks,
-Amit

Amit Klein
Director of security and research, Sanctum
W: +972-9-9586077 x225, F: +972-9-9576337
1 Sapir St., Ampa Bldg., Herzlia 46733 Israel
amit.klein@...ctuminc.com




Powered by blists - more mailing lists