getParameter("username");
String password = req.getParameter("password");
XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
File file = new File("/usr/webappdata/users.xml");
InputSource src = new InputSource(new FileInputStream(file));
XPathExpression expr = xpath.compile("//users[username/text()=' " +
username + " ' and password/text()=' "+ password +" ']/id/text()");
String id = expr.evaluate(src);
This code loads up the XML document and queries for the ID associated with the
provided username and password. Assuming the username was admin and the
password was xpathr00lz, the XPath query would be this:
//users[username/text()='admin' and password/text()='xpathr00lz']/id/
text()
Notice that the user input is not escaped in the Java code, so an attacker can place any
data or XPath instructions in this XPath query, such as setting the password to ' or '1'='1;
the query would then be this:
//users[username/text()='admin' and password/text()='' or '1'='1' ]/id/
text()
This query would find the ID where the username is admin and the password is
either null (which is high unlikely) or 1=1 (which is always true). Thus, injecting ' or
'1'='1 returns the ID for the administrator without the attacker knowing the
administrator??™s password.
Pages:
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70