Interview toolstube

Published on March 19th, 2012 | by NJ Ouchn


Blackhat Amsterdam 2012 : ToolsTube with Tom Forbes on XCAT – Xpath Injection Tool

The tools exploit xpath injection vulnerability in web applications and support advanced exploitation features. Both Xpath 1.0 and 2.0 are supported. The tool allows extraction of entire XML database by exploiting the XPATH vulnerability in web application frameworks. Some of the advanced features which Xcat supports include:

  1. True and Error conditions (Blind Injection)
  2. Extracting Data over Out-of-band channels (HTTP, DNS)
  3. Abusing the DOC function and reading arbitrary XML files on the system

Tom is a university student who finished his summer internship at 7Safe last year. During the internship Tom worked on several interesting aspects of IT Security. His research paper on Hacking XPATH 2.0 is the only material available on internet on this topic.

Tags: , , , , ,

About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"

Back to Top ↑