10717-13 XPath
10717-13 XPath
13.2. XPath
13.4. Exploitation
The element above is a child node for the element user. This
time, the element does not contain a child, instead it contains
text.
You can consider this text as the value of the element. If you
consider a database structure, jason would be the text
contained in the table users, column user with id=1.
/users//username
XPath expression
XPath result
Element='<username>jason</username>'
Element='<username>chris</username>'
//user[@id='1']/username
XPath expression
XPath result
Element='<username>jason</username>'
• //: select all user elements no matter where they are in the
document
• username/text()='<USERNAME>': return only the element
with the username text value set to <USERNAME>
• and: Boolean operator
• password/text()='<PASSWORD>': return only the element
with the password text value set to <USERNAME>
Web Application Penetration Testing 2.0 - eLearnSecurity © 2015
If we set the username to jason and the password to
dh8Gjnkj, we will get the following result:
//user[username/text()='jason' and
password/text()='dh8Gjnkj']
XPath expression
XPath result Element='<user id="1">
<username>jason</username>
<!-- Comment -->
<password>dh8Gjnkj</password>
</user>'
APOSTROPHE COMMA
' ,
used as string used to break
terminator integers, although any
character would work
The error message describes that the XPath query has been
broken by the input character ' .
//<someNode>[<someOtherNode>=<countryID>']
999999 or 2=2
999999 or 1=9
A C D B
A B C
<users>
<user>
<username> philip </username>
<password> mypass </password>
</user>
...
</users>
<users>
…
</users>
<users>
<user>
…
</user>
</users>