International Journal of System & Software Engineering

Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

Blind XPath Injection Attack: A Case Study


Affiliations
1 Maharaja Ganga Singh University, Bikaner, Rajasthan, India
     

   Subscribe/Renew Journal


Extensible Mark-up Language (XML) is adopted by different organizations as a data exchange format for web services and internet applications. The XML is much prone to hackers' attack. The common hacking technique for XML is XPath injection. The attacker can exploit the XPath to manipulate the database. XPath Injection attack can even bypass the system security and results can be disastrous. In this communication Blind XPath code injection problem is being reviewed using a case study. This article discusses the extent of the problem and few principals for managing and solving XML deployment.

Keywords

XML, XPath Injection, Blind XPath Injection
Subscription Login to verify subscription
User
Notifications
Font Size


  • Antunes, N., Laranjeiro, N., Vieira, M. & Madeira, H. (2009). Effective Detection of SQL/XPathInjection Vulnerabilities in Web Services. In Services Computing, 2009. SCC’09. IEEE International Conference, pp. 260-267.

  • Blasco, J. (2007). Introduction to X-Path Injection Techniques, Hakin9. Conference on IT Underground, Czech Republic, pp. 23-31.

  • Groppe, J. & Groppe, S. (2008). Filtering unsatisfiable X-Path queries. Journal Data & Knowledge Engineering, 64(1), 134-169.

  • Klein, A. (2005). Blind X-Path Injection. Whitepaper, Watchfi re. Retrieved from http://www. modsecurity. org/archive/amit/blind-xpath-injection.pdf

  • Li, Z., Shamy, S. M. E. & Galal, T. (2011). A Novell security framework for web application and database. JDCTA: International Journal of Digital Content Technology and its Applications, 5(10), 190-198.

  • Mitropoulos, D., Karakoidas, V. & Spinellis, D. (2009). Fortifying Applications against XPathInjection Attacks. MCIS 2009: 4th Mediterranean Conference on Information Systems, Athens, pp. 1169-1179.

  • Obugi, U. (2006). IBM, Thinking XML: Manage XML data sets for security, XML Thinking Forum. Retrieved from http://www.ibm.com/developerworks/library/x-think37/.

  • Sen, R. (2007). Avoid the dangers of XPath injection, IBM Technical Library. Retrieved from http://www.ibm.com/developerworks/xml/library/x-xpathinjection/index.html

  • Stuttard, D. & Pinto, M. (2007). The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws. Wiley, ISBN-10: 0470170778.

  • W3C Recommendation. (2000). Extensible Mark-up Language (XML) 1.0 (2ndEd.). W3C Recommendation. 6 October 2000. Retrieved from http://www.w3.org/TR/REC-xml

  • W3C Recommendation. (1999). XML Path Language (XPath) Version 1.0 - W3C Recommendation. 16 November 1999. Retrieved from http://www.w3.org/TR/xpath

  • W3C Working Draft. (2003). XML Path Language (XPath) 2.0 - W3C Working Draft. 12 November 2003. Retrieved from http://www.w3.org/TR/xpath20/


Abstract Views: 560

PDF Views: 4




  • Blind XPath Injection Attack: A Case Study

Abstract Views: 560  |  PDF Views: 4

Authors

Jyoti Lakhani
Maharaja Ganga Singh University, Bikaner, Rajasthan, India

Abstract


Extensible Mark-up Language (XML) is adopted by different organizations as a data exchange format for web services and internet applications. The XML is much prone to hackers' attack. The common hacking technique for XML is XPath injection. The attacker can exploit the XPath to manipulate the database. XPath Injection attack can even bypass the system security and results can be disastrous. In this communication Blind XPath code injection problem is being reviewed using a case study. This article discusses the extent of the problem and few principals for managing and solving XML deployment.

Keywords


XML, XPath Injection, Blind XPath Injection

References