Re: [xsl] XSL Injection, is it possible?

["Dimitre Novatchev" <dnovatchev@xxxxxxxxx>]

See for example:

   http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf


--
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.


On 5/30/06, G. T. Stresen-Reuter <tedmasterweb@xxxxxxx> wrote:
> On May 30, 2006, at 5:13 PM, Dimitre Novatchev wrote:
>
> >> But I do wonder, how would you circumvent an XPath expression such as
> >> this?
> >>
> >> select="//page[@name = $pagename]/content[@lang = $lang]/block[@id =
> >> $block_id]"
> >
> >
> > This expression:
> >
> >
> >     //page[@name = $pagename and anInterestingXPathExpression]
> >
> > will produce the page with name given by $pagename only when the
> > "anInterestingXPathExpression" is true.
> >
> > In this way I could test whether certain elements have certain values,
> > ..., etc.
> >
> > In case the dynamically generated XPath expression is evaluated within
> > an XSLT processor, then the document() function is very likely to be
> > referenced within the injected part of the expression.
> >
> > The same goes for any extension functions that might be supported.
>
> Ok, but how would someone be able to append " and
> anInterestingXPathExpression" to the $pagename variable? Just adding "
> or 1 = 1"to the incoming value (as would be the case with SQL
> injection) doesn't work with Sablotron, Saxon, libxslt nor Xalan-J. The
> processors see the value of $pagename as [@name = 'home.html and 1 =
> 1'] rather than as [@name = home.html and 1 = 1]
>
> Honestly, posting how to do this to the list may not be the best idea,
> but I sure would like to be able to say that the methodology I'm
> following is sound 8~/
>
> Thanks again for the ideas and feedback.
>
> Ted


--
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.