Open Access
Subscription Access
Open Access
Subscription Access
Blind XPath Injection Attack: A Case Study
Subscribe/Renew Journal
Extensible Mark-up Language (XML) is adopted by different organizations as a data exchange format for web services and internet applications. The XML is much prone to hackers' attack. The common hacking technique for XML is XPath injection. The attacker can exploit the XPath to manipulate the database. XPath Injection attack can even bypass the system security and results can be disastrous. In this communication Blind XPath code injection problem is being reviewed using a case study. This article discusses the extent of the problem and few principals for managing and solving XML deployment.
Keywords
XML, XPath Injection, Blind XPath Injection
Subscription
Login to verify subscription
User
Font Size
Information
- Antunes, N., Laranjeiro, N., Vieira, M. & Madeira, H. (2009). Effective Detection of SQL/XPathInjection Vulnerabilities in Web Services. In Services Computing, 2009. SCC’09. IEEE International Conference, pp. 260-267.
- Blasco, J. (2007). Introduction to X-Path Injection Techniques, Hakin9. Conference on IT Underground, Czech Republic, pp. 23-31.
- Groppe, J. & Groppe, S. (2008). Filtering unsatisfiable X-Path queries. Journal Data & Knowledge Engineering, 64(1), 134-169.
- Klein, A. (2005). Blind X-Path Injection. Whitepaper, Watchfi re. Retrieved from http://www. modsecurity. org/archive/amit/blind-xpath-injection.pdf
- Li, Z., Shamy, S. M. E. & Galal, T. (2011). A Novell security framework for web application and database. JDCTA: International Journal of Digital Content Technology and its Applications, 5(10), 190-198.
- Mitropoulos, D., Karakoidas, V. & Spinellis, D. (2009). Fortifying Applications against XPathInjection Attacks. MCIS 2009: 4th Mediterranean Conference on Information Systems, Athens, pp. 1169-1179.
- Obugi, U. (2006). IBM, Thinking XML: Manage XML data sets for security, XML Thinking Forum. Retrieved from http://www.ibm.com/developerworks/library/x-think37/.
- Sen, R. (2007). Avoid the dangers of XPath injection, IBM Technical Library. Retrieved from http://www.ibm.com/developerworks/xml/library/x-xpathinjection/index.html
- Stuttard, D. & Pinto, M. (2007). The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws. Wiley, ISBN-10: 0470170778.
- W3C Recommendation. (2000). Extensible Mark-up Language (XML) 1.0 (2ndEd.). W3C Recommendation. 6 October 2000. Retrieved from http://www.w3.org/TR/REC-xml
- W3C Recommendation. (1999). XML Path Language (XPath) Version 1.0 - W3C Recommendation. 16 November 1999. Retrieved from http://www.w3.org/TR/xpath
- W3C Working Draft. (2003). XML Path Language (XPath) 2.0 - W3C Working Draft. 12 November 2003. Retrieved from http://www.w3.org/TR/xpath20/
Abstract Views: 560
PDF Views: 4