xsl-list
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [xsl] XSL Injection, is it possible?

2006-05-30 12:13:27
from [Dimitre Novatchev] [Permanent Link] 
See for example:

   
http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf


--
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.


On 5/30/06, G. T. Stresen-Reuter <tedmasterweb(_at_)mac(_dot_)com> wrote:

On May 30, 2006, at 5:13 PM, Dimitre Novatchev wrote:

>> But I do wonder, how would you circumvent an XPath expression such as
>> this?
>>
>> select="//page[(_at_)name = $pagename]/content[(_at_)lang = 
$lang]/block[(_at_)id =
>> $block_id]"
>
>
> This expression:
>
>
>     //page[(_at_)name = $pagename and anInterestingXPathExpression]
>
> will produce the page with name given by $pagename only when the
> "anInterestingXPathExpression" is true.
>
> In this way I could test whether certain elements have certain values,
> ..., etc.
>
> In case the dynamically generated XPath expression is evaluated within
> an XSLT processor, then the document() function is very likely to be
> referenced within the injected part of the expression.
>
> The same goes for any extension functions that might be supported.

Ok, but how would someone be able to append " and
anInterestingXPathExpression" to the $pagename variable? Just adding "
or 1 = 1"to the incoming value (as would be the case with SQL
injection) doesn't work with Sablotron, Saxon, libxslt nor Xalan-J. The
processors see the value of $pagename as [(_at_)name = 'home.html and 1 =
1'] rather than as [(_at_)name = home.html and 1 = 1]

Honestly, posting how to do this to the list may not be the best idea,
but I sure would like to be able to say that the methodology I'm
following is sound 8~/

Thanks again for the ideas and feedback.

Ted


--~------------------------------------------------------------------
XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--





--
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.

--~------------------------------------------------------------------
XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [xsl] Multibyte language only error, Karen McAdams
Next by Date:  RE: [xsl] Multibyte language only error, Florent Georges
Previous by Thread:  Re: [xsl] XSL Injection, is it possible?, G. T. Stresen-Reuter
Next by Thread:  [xsl] Problem involving position() and COnditional filtering, Pankaj Bishnoi
Indexes:  [Date] [Thread] [Top] [All Lists]