Database Reference
In-Depth Information
The underlying idea behind XPath (and XQuery) is to see XML as a kind of systematic
storage (similar DB) and have similar ways of accessing data.
So, as in SQL, user supplied information can be used for the construction of the XPath
query string. The hacking methods are almost identical to those previously explained.
The standard path to employees' XML data,
/employees/employ-
ee[@id='EMPLOYEE_ID']
, can be easily supplied with the classic
'%20or%20'1'='1
and all the employee data (including CEO) will be dumped to the
browser. You can add any XPath-related function you like, such as:
'%20or%20fn:contains(fn:lower-case(@lastname),'your_CEO_lastname')%20or%20'
The counter-countermeasures are similar to an SQL injection. The most hard to break are
the prepared statements for XPath expressions.
JSON injection/JavaScript injections
The attack code for JSON and JavaScript injections is
AT06
.
Imagine your service accepts the JSON documents (or constructs them based on user in-
put) and stores them for public use. For big and bulky JSONs, you would dedicate a
NoSQL database, hoping that NoSQL means NoSQL injections.
JSON itself is brilliant, as it's simple, and it can be injected (in a positive way) in any soft-
ware/site capable of handling JavaScript. The flexibility is immense, thanks to AJAX and
shared DOM. We can manipulate web page elements almost effortlessly using, for in-
stance, the Chrome extension API (
chrome.extension.getURL()
). JSON content
will be included directly into the
<script>
tag of the targeted page. You will find all the
necessary instructions on the jQuery site, including
manifest.json
and a sample of
the
<injected.js>
files.
Fellow architects, the preceding paragraphs are from the Chrome Extension API and
jQuery documentation (
https://developer.chrome.com/extensions/extension#method-
getURL and http://jquery.com/
)
, that's not a joke. You will even find the following ex-
amples:
document.head.appendChild(script);
document.body.setAttribute("onLoad", "injected_main();");
Search WWH ::
Custom Search