XPATH, LDAP and Path Traversal Injection

B
Blueinfy SolutionsWeb Security Products, Consulting & Training Company
XPATH, LDAP and Path-Traversal Injection
XPATH
XPATH injection • XPATH parsing standard error • XPATH is method available for XML parsing • MS SQL server provides interface and one can get table content in XML format. • Once this is fetched one can run XPATH queries and obtain results. • What if username/password parsing done on using XPATH – XPATH injection
XPATH injection string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false
XPATH injection string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; • XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ • This will always true on the first node and user can get access as who ever is first user. Bingo!
LDAP Injection
Description • LDAP : Lightweight Directory Access Protocol • Runs over TCP/IP • Used for modifying and querying directory services • Object oriented • Stores and organizes information sharing some common attributes
Attack Anatomy • Normal flow : Expected Input (Good query) Expected results
Attack Anatomy • Checking for vulnerability : Erroneous Input (Bad query) Server Error/ Unexpected Behavior LDAP Injectable !!!
Attack Anatomy • Common Injection methods : – AND Injection – OR Injection • Common risks : – Information Disclosure – Role Escalation – Authentication Bypass
Attack Anatomy • AND injection – Normal query structure : (&(param1=val1)(param2=val2)) – Attacker tries to supply 2 values with the input for val1 – Thus, val2 is never checked for and the query is executed – Attacker inputs values which will always result to “true”
Attack Anatomy Login Form Asks username and password
Attack Anatomy Login Form Asks username and password Uname = abc, pwd = 123 Query : (&(uname=abc)(pwd=123))
Attack Anatomy Login Form Asks username and password Uname = abc)(&), pwd = Query : (&(uname=abc)(&))(pwd=))
Attack Anatomy • OR Injection – Similar to AND Injection – Normal query structure : (|(param1=val1)(param2=val2)) – Normally used by attacker for information disclosure
Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1 •Restricted access •Machines accessible to the uid of the user are displayed
Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1)(uid=*)) •Notice the injection •Attacker bypasses the user id check •(S)he can view all machines now
Path Traversal & Injection
Description • An application has numerous resources – Images – Sound – Videos – Background and page eye-candies • A normal application would group these in separate directories and put the code in a separate directory
Description • A poorly developed application would use absolute/relative paths to reach the necessary resources • Even worst done applications would directly use user preferences from URL / cookies and append them to the URI for these resources • A user could modify the URL / cookie values and view files not meant for him/her
Attack Anatomy • The attacker begins by identifying resources accessed via URIs • Then the attacker looks out for URLs or cookies which contain the resource identifiers • Usually, such applications set the resource names (and possibly even the paths) via URLs and cookies
Attack Anatomy • Before the attacker begins to browse directories, (s)he tries to find out the operating system type of the server • This is necessary because unix based servers allow forward slash for directory traversal and windows based servers allow backward slash for directory traversal
Attack Anatomy Attacker URL : http://something.com?pref=page1.html Interesting … pref =page1.html Attacker
Attack Anatomy URL : http://something.com?pref=page1.html Serves back page1.html Maybe .... path traversal ??? Attacker
Attack Anatomy Attacker Cookie: PREF=page1.html Interesting … PREF=page1.html Attacker
Attack Anatomy Cookie: PREF=page1.html Sends back a page with page1.html as the background Maybe .... path traversal ??? Attacker
Attack Anatomy • Once the attacker has determined that an application is vulnerable to path traversal, (s)he tries out the following, depending on – The operating system of the server – The level of input scanning the application does ...
Attack Anatomy • Unix based servers – Uses forward slash (/) – Attacker begins with “../” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%2f – %2e%2e/ – ..%2f
Attack Anatomy • Windows based servers – Uses backward slash () – Attacker begins with “..” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%5c – %2e%2d – ..%5c
Conclusion
1 of 30

XPATH, LDAP and Path Traversal Injection

Technology

This preso covers XPATH, LDAP and Path traversal injections.

B
Blueinfy SolutionsWeb Security Products, Consulting & Training Company

Recommended

LFI to RCE by
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
3.8K views20 slides
Introduction to API by
Introduction to APIIntroduction to API
Introduction to APIrajnishjha29
2.1K views15 slides
IOT Networks by
IOT NetworksIOT Networks
IOT NetworksMarc Nader
2.6K views70 slides
NodeMCU with Blynk and Firebase by
NodeMCU with Blynk and FirebaseNodeMCU with Blynk and Firebase
NodeMCU with Blynk and FirebaseEueung Mulyana
6.2K views43 slides
Social engineering by
Social engineeringSocial engineering
Social engineeringVishal Kumar
12.4K views17 slides
Security issues and solutions : IoT by
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoTJinia Bhowmik
811 views22 slides

More Related Content

What's hot

IoT with Python by
IoT with PythonIoT with Python
IoT with PythonDr. Sanjay Shitole
1.8K views29 slides
Dynamic Security Analysis & Static Security Analysis for Android Apps. by
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
2.5K views30 slides
Introduction to the Web API by
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
14.5K views49 slides
Client server chat application by
Client server chat applicationClient server chat application
Client server chat applicationSamsil Arefin
3.8K views15 slides
Source Code Analysis with SAST by
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
2.8K views69 slides
Best Practices in Web Service Design by
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
40.5K views38 slides

What's hot(20)

IoT with Python by Dr. Sanjay Shitole
IoT with PythonIoT with Python
IoT with Python
Dr. Sanjay Shitole1.8K views
Dynamic Security Analysis & Static Security Analysis for Android Apps. by VodqaBLR
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR2.5K views
Introduction to the Web API by Brad Genereaux
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
Brad Genereaux14.5K views
Client server chat application by Samsil Arefin
Client server chat applicationClient server chat application
Client server chat application
Samsil Arefin3.8K views
Source Code Analysis with SAST by Blueinfy Solutions
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions2.8K views
Best Practices in Web Service Design by Lorna Mitchell
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
Lorna Mitchell40.5K views
OSINT - Open Source Intelligence by c0c0n - International Cyber Security and Policing Conference
OSINT - Open Source IntelligenceOSINT - Open Source Intelligence
OSINT - Open Source Intelligence
c0c0n - International Cyber Security and Policing Conference9.4K views
Ethical Hacking and Network Security by sumit dimri
Ethical Hacking and Network SecurityEthical Hacking and Network Security
Ethical Hacking and Network Security
sumit dimri4.9K views
OSINT Tool - Reconnaissance with Recon-ng by Raghav Bisht
OSINT Tool - Reconnaissance with Recon-ngOSINT Tool - Reconnaissance with Recon-ng
OSINT Tool - Reconnaissance with Recon-ng
Raghav Bisht436 views
Web servers for the Internet of Things by Alexandru Radovici
Web servers for the Internet of ThingsWeb servers for the Internet of Things
Web servers for the Internet of Things
Alexandru Radovici8K views
IoT Tutorial for Beginners | Internet of Things (IoT) | IoT Training | IoT Te... by Edureka!
IoT Tutorial for Beginners | Internet of Things (IoT) | IoT Training | IoT Te...IoT Tutorial for Beginners | Internet of Things (IoT) | IoT Training | IoT Te...
IoT Tutorial for Beginners | Internet of Things (IoT) | IoT Training | IoT Te...
Edureka!21.2K views
Web 3.0 The Semantic Web by Hatem Mahmoud
Web 3.0 The Semantic WebWeb 3.0 The Semantic Web
Web 3.0 The Semantic Web
Hatem Mahmoud139.8K views
Cross Site Scripting ( XSS) by Amit Tyagi
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi27.2K views
Checkmarx meetup API Security - API Security top 10 - Erez Yalon by Adar Weidman
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman536 views
Ethics of Big Data by Matti Vesala
Ethics of Big DataEthics of Big Data
Ethics of Big Data
Matti Vesala3.2K views
Get Started with MicroPython ESP32 by fanghe22
Get Started with MicroPython ESP32Get Started with MicroPython ESP32
Get Started with MicroPython ESP32
fanghe22122 views
Information security in todays world by Sibghatullah Khattak
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak897 views
OSINT- Leveraging data into intelligence by Deep Shankar Yadav
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
Deep Shankar Yadav1.7K views
Open Source Intelligence (OSINT) by festival ICT 2016
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)
festival ICT 20169.8K views
Web Development In 2018 by Traversy Media
Web Development In 2018Web Development In 2018
Web Development In 2018
Traversy Media2.5K views

Viewers also liked

Advanced SQL Injection with SQLol by
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLolBaronZor
1.7K views28 slides
ComunWeb: Portali istituzionali e qualità dei dati aperti by
ComunWeb: Portali istituzionali e qualità dei dati apertiComunWeb: Portali istituzionali e qualità dei dati aperti
ComunWeb: Portali istituzionali e qualità dei dati apertiGabriele Francescotto
727 views20 slides
FrameMaker XML Author Toolkit by
FrameMaker XML Author ToolkitFrameMaker XML Author Toolkit
FrameMaker XML Author ToolkitPublishing Smarter
655 views49 slides
Sah by
SahSah
SahLutfy Nikmah
530 views18 slides
Idiomatic C++ by
Idiomatic C++Idiomatic C++
Idiomatic C++Federico Ficarelli
2.1K views57 slides
DITA Reuse Challenges and Response by
DITA Reuse Challenges and ResponseDITA Reuse Challenges and Response
DITA Reuse Challenges and ResponseContrext Solutions
973 views35 slides

Viewers also liked(15)

Advanced SQL Injection with SQLol by BaronZor
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLol
BaronZor1.7K views
ComunWeb: Portali istituzionali e qualità dei dati aperti by Gabriele Francescotto
ComunWeb: Portali istituzionali e qualità dei dati apertiComunWeb: Portali istituzionali e qualità dei dati aperti
ComunWeb: Portali istituzionali e qualità dei dati aperti
Gabriele Francescotto727 views
FrameMaker XML Author Toolkit by Publishing Smarter
FrameMaker XML Author ToolkitFrameMaker XML Author Toolkit
FrameMaker XML Author Toolkit
Publishing Smarter655 views
Sah by Lutfy Nikmah
SahSah
Sah
Lutfy Nikmah530 views
Idiomatic C++ by Federico Ficarelli
Idiomatic C++Idiomatic C++
Idiomatic C++
Federico Ficarelli2.1K views
DITA Reuse Challenges and Response by Contrext Solutions
DITA Reuse Challenges and ResponseDITA Reuse Challenges and Response
DITA Reuse Challenges and Response
Contrext Solutions973 views
Lecture 10 logistics and supply chain by Ankit
Lecture 10 logistics and supply chainLecture 10 logistics and supply chain
Lecture 10 logistics and supply chain
Ankit 1.6K views
FrameMaker Corporate Templates with DITA by Publishing Smarter
FrameMaker Corporate Templates with DITAFrameMaker Corporate Templates with DITA
FrameMaker Corporate Templates with DITA
Publishing Smarter554 views
Moving Renewable Energy Embedded Systems into the Cloud by Mark Heckler
Moving Renewable Energy Embedded Systems into the CloudMoving Renewable Energy Embedded Systems into the Cloud
Moving Renewable Energy Embedded Systems into the Cloud
Mark Heckler741 views
Portfolio by mandolyn74
PortfolioPortfolio
Portfolio
mandolyn745K views
Extracting the Painful (Blue)Tooth - Presentation by Opposing Force S.r.l.
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - Presentation
Opposing Force S.r.l.341 views
CSRF, ClickJacking & Open Redirect by Blueinfy Solutions
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions5.5K views
Basic service capability, logistics and supply chain management by Indraja Modem
Basic service capability, logistics and supply chain managementBasic service capability, logistics and supply chain management
Basic service capability, logistics and supply chain management
Indraja Modem2.8K views
Organization strategy of distribution nike by distribution-strategy
Organization strategy of distribution nikeOrganization strategy of distribution nike
Organization strategy of distribution nike
distribution-strategy1.5K views
Www.themargolislawfirm.com by AaronWilliamson12
Www.themargolislawfirm.comWww.themargolislawfirm.com
Www.themargolislawfirm.com
AaronWilliamson12149 views

Similar to XPATH, LDAP and Path Traversal Injection

Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus by
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | PrometheusCreating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | PrometheusInfluxData
1.7K views45 slides
Playing With (B)Sqli by
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
1.8K views54 slides
15 Text files by
15 Text files15 Text files
15 Text filesmaznabili
285 views37 slides
Java I/O by
Java I/OJava I/O
Java I/OJussi Pohjolainen
7.8K views60 slides
ShmooCON 2009 : Re-playing with (Blind) SQL Injection by
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
2.3K views54 slides
Solr @ Etsy - Apache Lucene Eurocon by
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconGiovanni Fernandez-Kincade
1.6K views56 slides

Similar to XPATH, LDAP and Path Traversal Injection(20)

Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus by InfluxData
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | PrometheusCreating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
InfluxData1.7K views
Playing With (B)Sqli by Chema Alonso
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
Chema Alonso1.8K views
15 Text files by maznabili
15 Text files15 Text files
15 Text files
maznabili285 views
Java I/O by Jussi Pohjolainen
Java I/OJava I/O
Java I/O
Jussi Pohjolainen7.8K views
ShmooCON 2009 : Re-playing with (Blind) SQL Injection by Chema Alonso
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
Chema Alonso2.3K views
Solr @ Etsy - Apache Lucene Eurocon by Giovanni Fernandez-Kincade
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
Giovanni Fernandez-Kincade1.6K views
Hollywood mode off: security testing at scale by Claudio Criscione
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scale
Claudio Criscione220 views
Asegúr@IT IV - Remote File Downloading by Chema Alonso
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
Chema Alonso1.4K views
Introduction to Laravel Framework (5.2) by Viral Solani
Introduction to Laravel Framework (5.2)Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)
Viral Solani2.5K views
Understanding and preventing sql injection attacks by Kevin Kline
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline1.7K views
Attques web by Tarek MOHAMED
Attques webAttques web
Attques web
Tarek MOHAMED1.9K views
SQL Server Security - Attack by webhostingguy
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy8.4K views
How "·$% developers defeat the web vulnerability scanners by Chema Alonso
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso129.5K views
How to use Approval Tests for C++ Effectively by Clare Macrae
How to use Approval Tests for C++ EffectivelyHow to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ Effectively
Clare Macrae217 views
XSS - Attacks & Defense by Blueinfy Solutions
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions4K views
Sqlmap by SiddharthWagh7
SqlmapSqlmap
Sqlmap
SiddharthWagh784 views
Reactive Programming in .Net - actorbased computing with Akka.Net by Sören Stelzer
Reactive Programming in .Net - actorbased computing with Akka.NetReactive Programming in .Net - actorbased computing with Akka.Net
Reactive Programming in .Net - actorbased computing with Akka.Net
Sören Stelzer491 views
Security in Node.JS and Express: by Petros Demetrakopoulos
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
Petros Demetrakopoulos1.8K views
2011 and still bruteforcing - OWASP Spain by Christian Martorella
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
Christian Martorella858 views
ShmooCon 2009 - (Re)Playing(Blind)Sql by Chema Alonso
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso1.5K views

More from Blueinfy Solutions

Mobile Application Scan and Testing by
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
1.3K views65 slides
Mobile security chess board - attacks & defense by
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
2.5K views89 slides
Mobile code mining for discovery and exploits nullcongoa2013 by
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
1K views80 slides
iOS Application Security Testing by
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
1.9K views65 slides
Html5 on mobile by
Html5 on mobileHtml5 on mobile
Html5 on mobileBlueinfy Solutions
1K views50 slides
Android secure coding by
Android secure codingAndroid secure coding
Android secure codingBlueinfy Solutions
1.3K views20 slides

More from Blueinfy Solutions(18)

Mobile Application Scan and Testing by Blueinfy Solutions
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
Blueinfy Solutions1.3K views
Mobile security chess board - attacks & defense by Blueinfy Solutions
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions2.5K views
Mobile code mining for discovery and exploits nullcongoa2013 by Blueinfy Solutions
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions1K views
iOS Application Security Testing by Blueinfy Solutions
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions1.9K views
Html5 on mobile by Blueinfy Solutions
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions1K views
Android secure coding by Blueinfy Solutions
Android secure codingAndroid secure coding
Android secure coding
Blueinfy Solutions1.3K views
Android attacks by Blueinfy Solutions
Android attacksAndroid attacks
Android attacks
Blueinfy Solutions1.2K views
Automation In Android & iOS Application Review by Blueinfy Solutions
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
Blueinfy Solutions1.5K views
Web Services Hacking and Security by Blueinfy Solutions
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions6.1K views
HTML5 hacking by Blueinfy Solutions
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions3.1K views
Defending against Injections by Blueinfy Solutions
Defending against InjectionsDefending against Injections
Defending against Injections
Blueinfy Solutions2.3K views
Blind SQL Injection by Blueinfy Solutions
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
Blueinfy Solutions3.2K views
Application fuzzing by Blueinfy Solutions
Application fuzzingApplication fuzzing
Application fuzzing
Blueinfy Solutions2.3K views
SQL injection basics by Blueinfy Solutions
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions4.2K views
Applciation footprinting, discovery and enumeration by Blueinfy Solutions
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions2.4K views
Assessment methodology and approach by Blueinfy Solutions
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions2.8K views
HTTP protocol and Streams Security by Blueinfy Solutions
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
Blueinfy Solutions2.5K views
Advanced applications-architecture-threats by Blueinfy Solutions
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions2.8K views

Recently uploaded

Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...ShapeBlue
54 views15 slides
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Safe Software
344 views86 slides
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...Bernd Ruecker
50 views69 slides
DRBD Deep Dive - Philipp Reisner - LINBIT by
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBITShapeBlue
62 views21 slides
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...ShapeBlue
88 views20 slides
20231123_Camunda Meetup Vienna.pdf by
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdfPhactum Softwareentwicklung GmbH
46 views73 slides

Recently uploaded(20)

Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue54 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software344 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker50 views
DRBD Deep Dive - Philipp Reisner - LINBIT by ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue62 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue88 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH46 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer31 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil434 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray1080 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue74 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely56 views
State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue145 views
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue83 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue102 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue56 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue46 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue77 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue85 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum46 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson133 views

XPATH, LDAP and Path Traversal Injection

  • 1. XPATH, LDAP and Path-Traversal Injection
  • 3. XPATH injection • XPATH parsing standard error • XPATH is method available for XML parsing • MS SQL server provides interface and one can get table content in XML format. • Once this is fetched one can run XPATH queries and obtain results. • What if username/password parsing done on using XPATH – XPATH injection
  • 4. XPATH injection string fulltext = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order;User ID=sa;Password=mypass"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); fulltext = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(fulltext); string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { //True } else //false
  • 5. XPATH injection string credential = "//users[@username='"+user+"' and @password='"+pass+"']"; • XPATH parsing can be leveraged by passing following string ' or 1=1 or ''=‘ • This will always true on the first node and user can get access as who ever is first user. Bingo!
  • 7. Description • LDAP : Lightweight Directory Access Protocol • Runs over TCP/IP • Used for modifying and querying directory services • Object oriented • Stores and organizes information sharing some common attributes
  • 8. Attack Anatomy • Normal flow : Expected Input (Good query) Expected results
  • 9. Attack Anatomy • Checking for vulnerability : Erroneous Input (Bad query) Server Error/ Unexpected Behavior LDAP Injectable !!!
  • 10. Attack Anatomy • Common Injection methods : – AND Injection – OR Injection • Common risks : – Information Disclosure – Role Escalation – Authentication Bypass
  • 11. Attack Anatomy • AND injection – Normal query structure : (&(param1=val1)(param2=val2)) – Attacker tries to supply 2 values with the input for val1 – Thus, val2 is never checked for and the query is executed – Attacker inputs values which will always result to “true”
  • 12. Attack Anatomy Login Form Asks username and password
  • 13. Attack Anatomy Login Form Asks username and password Uname = abc, pwd = 123 Query : (&(uname=abc)(pwd=123))
  • 14. Attack Anatomy Login Form Asks username and password Uname = abc)(&), pwd = Query : (&(uname=abc)(&))(pwd=))
  • 15. Attack Anatomy • OR Injection – Similar to AND Injection – Normal query structure : (|(param1=val1)(param2=val2)) – Normally used by attacker for information disclosure
  • 16. Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1 •Restricted access •Machines accessible to the uid of the user are displayed
  • 17. Attack Anatomy Resource viewer : http://www.something.com/res.cgi?type=1)(uid=*)) •Notice the injection •Attacker bypasses the user id check •(S)he can view all machines now
  • 18. Path Traversal & Injection
  • 19. Description • An application has numerous resources – Images – Sound – Videos – Background and page eye-candies • A normal application would group these in separate directories and put the code in a separate directory
  • 20. Description • A poorly developed application would use absolute/relative paths to reach the necessary resources • Even worst done applications would directly use user preferences from URL / cookies and append them to the URI for these resources • A user could modify the URL / cookie values and view files not meant for him/her
  • 21. Attack Anatomy • The attacker begins by identifying resources accessed via URIs • Then the attacker looks out for URLs or cookies which contain the resource identifiers • Usually, such applications set the resource names (and possibly even the paths) via URLs and cookies
  • 22. Attack Anatomy • Before the attacker begins to browse directories, (s)he tries to find out the operating system type of the server • This is necessary because unix based servers allow forward slash for directory traversal and windows based servers allow backward slash for directory traversal
  • 23. Attack Anatomy Attacker URL : http://something.com?pref=page1.html Interesting … pref =page1.html Attacker
  • 24. Attack Anatomy URL : http://something.com?pref=page1.html Serves back page1.html Maybe .... path traversal ??? Attacker
  • 26. Attack Anatomy Cookie: PREF=page1.html Sends back a page with page1.html as the background Maybe .... path traversal ??? Attacker
  • 27. Attack Anatomy • Once the attacker has determined that an application is vulnerable to path traversal, (s)he tries out the following, depending on – The operating system of the server – The level of input scanning the application does ...
  • 28. Attack Anatomy • Unix based servers – Uses forward slash (/) – Attacker begins with “../” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%2f – %2e%2e/ – ..%2f
  • 29. Attack Anatomy • Windows based servers – Uses backward slash () – Attacker begins with “..” sequences • If the application scans for sequences such as the dot-dot-slash, the attacker will try : – %2e%2e%5c – %2e%2d – ..%5c