1
00:00:00,520 --> 00:00:08,140
‫So it's quite common for developers to use XML documents in Web applications and XML documents are generally

2
00:00:08,140 --> 00:00:14,080
‫used to store configuration data or to transfer data from a source to a destination.

3
00:00:15,770 --> 00:00:21,110
‫So most of the programming languages are able to edit or create XML documents.

4
00:00:22,210 --> 00:00:25,930
‫But there is a standard query language, for example, documents.

5
00:00:26,780 --> 00:00:29,210
‫Its name is XPath.

6
00:00:30,520 --> 00:00:33,880
‫So XPath stands, for example, path language.

7
00:00:34,770 --> 00:00:47,820
‫XPath uses path like syntax to query XML documents and like Escorial, it will provide specificity for

8
00:00:47,820 --> 00:00:55,860
‫certain attributes to find them and then the patterns to match, so it helps to identify and navigate

9
00:00:55,860 --> 00:00:57,660
‫nodes in an XML document.

10
00:00:59,040 --> 00:01:07,770
‫Now, XPath differs from other database languages as there is no access controls or user authentication.

11
00:01:08,810 --> 00:01:16,370
‫For instance, an attacker can inject XPath statements in some input fields, and if there's no control

12
00:01:16,370 --> 00:01:21,140
‫at the back end, then it is also possible to access the entire XML document.

13
00:01:22,280 --> 00:01:25,940
‫So in this lesson, we're going to cover XPath attack.

14
00:01:27,320 --> 00:01:29,780
‫So open Caleigh and log in to be Web.

15
00:01:31,080 --> 00:01:32,340
‫We are going to do both.

16
00:01:33,680 --> 00:01:38,120
‫So choose the first one from the menu above, it is a login form.

17
00:01:39,390 --> 00:01:41,100
‫Just write something and log in.

18
00:01:42,670 --> 00:01:43,840
‫OK, so we get an error.

19
00:01:44,990 --> 00:01:48,710
‫And now just enter a single quote and then log in.

20
00:01:49,910 --> 00:01:53,020
‫OK, so this is not what we expect then, right?

21
00:01:53,410 --> 00:01:59,040
‫Normally, we're going to see Escorial errors, but an XML error appears on the top of the page.

22
00:01:59,760 --> 00:02:05,150
‫Now, obviously, it's a different and the data transmits over the Eurail.

23
00:02:05,820 --> 00:02:07,410
‫So let's have a look at the code.

24
00:02:08,430 --> 00:02:12,120
‫Open XML, I underscore one dot page be.

25
00:02:14,050 --> 00:02:19,420
‫Now the developer puts their security checks based on the security level.

26
00:02:20,410 --> 00:02:25,780
‫OK, so we're going to look into this function later, but now scroll down.

27
00:02:26,700 --> 00:02:33,510
‫And this is a part of that we're looking for see here on line 75, the developer loads an XML file.

28
00:02:34,430 --> 00:02:40,730
‫Then they check the log in and password in and XPath query online 78.

29
00:02:42,010 --> 00:02:49,840
‫And then based on the results of this query, it shows the message or in valid credentials, error.

30
00:02:50,910 --> 00:02:52,290
‫OK, so exit this.

31
00:02:53,630 --> 00:02:56,840
‫And we can view the external functions file.

32
00:02:58,090 --> 00:03:06,430
‫So scroll to find an example, injection function up, found it, and it replaces characters that can

33
00:03:06,430 --> 00:03:10,510
‫be used in an XPath query with a whitespace character.

34
00:03:11,810 --> 00:03:12,860
‫OK, so exit.

35
00:03:14,650 --> 00:03:16,960
‫Then let's open sublime text.

36
00:03:17,940 --> 00:03:22,530
‫Now, before we go any further, I do want to show you the XPath query execution.

37
00:03:24,590 --> 00:03:26,180
‫OK, so open the tools menu.

38
00:03:27,340 --> 00:03:29,500
‫Install, package control.

39
00:03:31,580 --> 00:03:33,860
‫OK, so it's installed and now click OK.

40
00:03:35,400 --> 00:03:36,780
‫And go to preferences.

41
00:03:38,040 --> 00:03:39,600
‫Click on package control.

42
00:03:40,640 --> 00:03:42,710
‫Then click install package.

43
00:03:44,340 --> 00:03:48,000
‫And now you're going to see sublime packages or extensions.

44
00:03:49,030 --> 00:03:57,160
‫So to execute XPath queries, we're going to need an extension, so type XPath and just click on the

45
00:03:57,160 --> 00:03:57,640
‫first one.

46
00:03:58,730 --> 00:04:00,760
‫And now it will be installed in the background.

47
00:04:01,980 --> 00:04:04,770
‫OK, so now, though, the heroes that XML file.

48
00:04:09,840 --> 00:04:12,180
‫OK, then hit control shift P.

49
00:04:13,120 --> 00:04:15,850
‫Type query and so like the first one.

50
00:04:17,760 --> 00:04:19,570
‫So now let me zoom it in for you.

51
00:04:20,160 --> 00:04:25,530
‫So this extension helps us to execute XPath queries on a document.

52
00:04:26,640 --> 00:04:31,080
‫So, OK, I'm going to paste the query in the code to here.

53
00:04:32,110 --> 00:04:36,560
‫And the code was like that, and it contains code as well.

54
00:04:37,270 --> 00:04:38,730
‫So we just clean them up.

55
00:04:43,310 --> 00:04:46,130
‫So this is the actual XPath query.

56
00:04:47,720 --> 00:04:53,350
‫Logic is almost the same as escarole queries.

57
00:04:55,610 --> 00:05:02,870
‫So the query just means that under the Heroes route element, choose a hero, which has a specific login

58
00:05:02,870 --> 00:05:03,530
‫and password.

59
00:05:05,230 --> 00:05:07,300
‫All right, so now type Neo.

60
00:05:08,440 --> 00:05:10,150
‫And then Trinity.

61
00:05:11,980 --> 00:05:15,220
‫And now look above the first hero element is chosen.

62
00:05:17,000 --> 00:05:21,740
‫So the login mechanism in this form works like that on this XML file.

63
00:05:22,980 --> 00:05:24,600
‫So now we can delete these values.

64
00:05:26,510 --> 00:05:28,070
‫And put in a single quote.

65
00:05:29,190 --> 00:05:30,240
‫It breaks a query.

66
00:05:31,120 --> 00:05:32,260
‫And nothing appears.

67
00:05:33,860 --> 00:05:38,450
‫And I'll type or one equals one or a single quote.

68
00:05:40,230 --> 00:05:42,630
‫Then all the hero elements are chosen.

69
00:05:43,930 --> 00:05:45,520
‫So I'm going to copy this payload.

70
00:05:48,060 --> 00:05:50,160
‫And go back to Firefox.

71
00:05:51,830 --> 00:05:54,290
‫Pasted into this field and log in.

72
00:05:55,280 --> 00:05:57,830
‫And there it goes, it works so.

73
00:06:00,720 --> 00:06:06,540
‫Actually, we can only see what is in the first line or, well, the first element of the result.

74
00:06:07,830 --> 00:06:13,260
‫OK, so now you can see the code and you can prepare your XPath payloads.

75
00:06:14,810 --> 00:06:19,040
‫Well, let me tell you, in a real world test, it's not really like that.

76
00:06:20,400 --> 00:06:27,600
‫After you see the XML error, you need to try more for exploiting open your perspective a little bit.

77
00:06:28,470 --> 00:06:34,580
‫So this was our payload change one or two and go and we get an error.

78
00:06:35,430 --> 00:06:39,180
‫So this means that our payload executes well.

79
00:06:40,120 --> 00:06:42,100
‫So now it's time to pull the data.

80
00:06:43,490 --> 00:06:47,060
‫And we can view the first hero on the list.

81
00:06:48,150 --> 00:06:51,120
‫And then by adding this code, we can view in other.

82
00:06:54,140 --> 00:06:55,700
‫And it's the same user.

83
00:06:56,760 --> 00:06:58,500
‫This time to.

84
00:07:00,570 --> 00:07:05,040
‫Second users, Alice was the third one for.

85
00:07:06,020 --> 00:07:07,880
‫It was the fourth one, Wolverine.

86
00:07:09,160 --> 00:07:12,490
‫It was the fifth one, Johnny six.

87
00:07:14,560 --> 00:07:16,960
‫Seline Seventy-one.

88
00:07:17,930 --> 00:07:21,240
‫OK, and because there is no other user, we get this error.

89
00:07:22,070 --> 00:07:25,820
‫So anyway, I'm going to give you some payload so that you can go further.

90
00:07:27,300 --> 00:07:30,660
‫So to get a number of the root elements right, this one.

91
00:07:32,210 --> 00:07:33,470
‫And we'll get the result.

92
00:07:34,730 --> 00:07:37,910
‫So it means that there is one root element.

93
00:07:39,080 --> 00:07:43,160
‫And because there is only one rule element, the rest will work like that.

94
00:07:45,550 --> 00:07:48,640
‫So to get the number of elements in the file, right, this one.

95
00:07:50,150 --> 00:07:51,560
‫No, it's not one.

96
00:07:55,270 --> 00:07:57,250
‫Yes, it is 43.

97
00:07:59,610 --> 00:08:05,040
‫Then to the number of child elements under the heroes element, right, this one.

98
00:08:06,730 --> 00:08:09,850
‫Sure enough, there are six children under heroes.

99
00:08:11,230 --> 00:08:16,680
‫And again, the length of the name of the current node and root node type, this payload.

100
00:08:18,390 --> 00:08:21,700
‫And the length is not one, is it, six?

101
00:08:22,570 --> 00:08:25,230
‫Yeah, because it is heroes.

102
00:08:26,710 --> 00:08:33,100
‫So now to get the name of the root element, one by one type, this payload.

103
00:08:34,980 --> 00:08:36,990
‫First character is not a.

104
00:08:38,570 --> 00:08:39,230
‫H.

105
00:08:40,680 --> 00:08:47,100
‫Yeah, the first character is Age, now you can follow along the same way to get the other characters.

106
00:08:48,490 --> 00:08:54,820
‫OK, so to get the length of the name of the first child under the root element, type this payload.

107
00:08:56,600 --> 00:08:57,980
‫And no, it is not one.

108
00:08:59,130 --> 00:09:00,300
‫So is it for.

109
00:09:01,510 --> 00:09:02,500
‫It sure is.

110
00:09:04,180 --> 00:09:11,050
‫OK, so now to get the name of the first child under the root element, one by one type this payload.

111
00:09:12,300 --> 00:09:15,540
‫It is not A, is it, H?

112
00:09:17,070 --> 00:09:18,300
‫And yes, it is.

113
00:09:19,340 --> 00:09:26,180
‫All right, so if we follow along this way, we can extract the name of the first child under the root

114
00:09:26,180 --> 00:09:26,660
‫element.

115
00:09:28,340 --> 00:09:35,330
‫OK, so now to get the number of children of the first child under the root element to this payload.

116
00:09:37,070 --> 00:09:38,930
‫Is it more than one child?

117
00:09:40,260 --> 00:09:41,310
‫So is it six?

118
00:09:43,970 --> 00:09:46,960
‫OK, so the first child has six children.

119
00:09:48,250 --> 00:09:55,360
‫So now let's get the length of the name of the first of this six type in this payload.

120
00:09:56,720 --> 00:09:58,940
‫No, it's not one, is it, to?

121
00:10:00,210 --> 00:10:01,170
‫Why, yes, it is.

122
00:10:02,540 --> 00:10:07,970
‫OK, so get the name of them one by one type in this payload.

123
00:10:09,340 --> 00:10:12,610
‫The first character is not a so that's changed.

124
00:10:12,640 --> 00:10:13,060
‫Why?

125
00:10:14,160 --> 00:10:15,690
‫And yeah, I.

126
00:10:17,810 --> 00:10:20,030
‫So I assume we discovered one by one.

127
00:10:21,360 --> 00:10:26,070
‫Then type this to get the length of the text of this child.

128
00:10:27,150 --> 00:10:29,580
‫A length of text is one.

129
00:10:31,280 --> 00:10:33,170
‫OK, so was this text one.

130
00:10:34,620 --> 00:10:36,870
‫And yeah, the text is one.

131
00:10:37,450 --> 00:10:38,130
‫OK, so.

132
00:10:39,990 --> 00:10:41,170
‫I think you get the point right.

133
00:10:42,030 --> 00:10:46,170
‫So step by step, we discover the root element, the elements, as well as the children.

134
00:10:47,600 --> 00:10:48,020
‫So.

135
00:10:49,160 --> 00:10:53,930
‫If it is necessary, you can discover the attributes and the others as well.

136
00:10:55,490 --> 00:11:00,620
‫But then finally, I want to show you that we will be able to pull data from the XML file.

137
00:11:01,860 --> 00:11:03,990
‫So why don't we go ahead and do another example?

138
00:11:04,990 --> 00:11:08,200
‫So from the menu above, choose the second one.

139
00:11:10,940 --> 00:11:13,400
‫It selects movies based on their genre.

140
00:11:15,220 --> 00:11:18,220
‫So you may not see this royal message on the page.

141
00:11:19,630 --> 00:11:27,220
‫I enabled it from the code so that I could show you how XPath finds the values, so don't freak out,

142
00:11:28,510 --> 00:11:34,900
‫but just open the terminal view xml I underscore to dot BHP.

143
00:11:36,960 --> 00:11:47,040
‫Scroll down to below, and here is the XPath query, so it chooses the child element movie from the

144
00:11:47,040 --> 00:11:51,180
‫hero elements, which has a specific genre element.

145
00:11:51,810 --> 00:11:54,270
‫OK, yeah, I know my sentence.

146
00:11:54,300 --> 00:11:56,220
‫It's a little bit long and weird, but.

147
00:11:57,180 --> 00:12:01,620
‫It's really what it is and what it is, is what it is.

148
00:12:03,130 --> 00:12:08,740
‫Anyway, the remaining part prints the output to the screen and a table.

149
00:12:10,440 --> 00:12:12,210
‫So why don't we go back to Sublime?

150
00:12:13,230 --> 00:12:14,610
‫And Pasic query here.

151
00:12:16,350 --> 00:12:18,780
‫Now I'm going to clear the syntax.

152
00:12:20,890 --> 00:12:22,990
‫And this is the actual XPath query.

153
00:12:23,940 --> 00:12:27,210
‫And the movies immediately appear.

154
00:12:28,900 --> 00:12:34,330
‫Now, if I were to clear here from the Eurail, I can see all the movies.

155
00:12:36,000 --> 00:12:37,620
‫OK, so go to sublime again.

156
00:12:38,880 --> 00:12:40,500
‫Now, add a single quote here.

157
00:12:41,720 --> 00:12:42,470
‫And.

158
00:12:43,510 --> 00:12:44,440
‫Nothing appears.

159
00:12:45,600 --> 00:12:47,310
‫Because it breaks the syntax.

160
00:12:48,400 --> 00:12:50,050
‫So now I'm going to add this.

161
00:12:52,000 --> 00:13:01,660
‫OK, so I think there is no syntax error now, and we'll add something here, OK, perfect result appears

162
00:13:02,000 --> 00:13:03,030
‫that's what we're looking for.

163
00:13:04,090 --> 00:13:08,710
‫So now I'm going to copy this payload and paste it into the You are El.

164
00:13:13,900 --> 00:13:14,650
‫And it works.

165
00:13:15,840 --> 00:13:20,430
‫OK, so let's go back to Sublime and I'm going to add a few things.

166
00:13:24,160 --> 00:13:28,300
‫And this time it will bring all the data into the XML file.

167
00:13:29,490 --> 00:13:33,930
‫So I'll copy this payload and paste it in the you are well and then go.

168
00:13:38,630 --> 00:13:39,620
‫And what do you see?

169
00:13:39,650 --> 00:13:42,530
‫We can view all that text data in the table.

170
00:13:44,770 --> 00:13:49,990
‫All right, so that wraps it up, for example, in Jackson or XPath injection.

171
00:13:51,710 --> 00:13:55,520
‫So you can do whatever you want to at this stage.

172
00:13:57,280 --> 00:14:05,470
‫You can go further, try several other payloads, you can see what works, what doesn't work, that,

173
00:14:05,470 --> 00:14:06,790
‫my friends, is up to you.