The Art of Exploiting Injection Flaws at Black Hat Vegas 2013

(Article by Sumit “Sid” Siddharth)
Read other Sid’s posts at

So, you found a SQL Injection in Oracle Database. How will you execute OS code against it from web application? Is there a xp_cmdshell equivalent in Oracle? What if the SQL Injection is not privileged. That is, the query you inject is not running as DBA. Surely you should be able to pipe your user to DBA role and then execute OS command.  Do you check for 2nd order injection, double encoding/decoding, order-by, group-by clause etc?

We all love Burp Professional and it’s a great tool for web application security. I don’t know a single web application security guy who do not use this tool. But, because it’s a great tool, do we all rely a bit too heavily on it, and what happens when at times it misses a SQL Injection? Ohh, btw, do you find a particular check in which it execute “select 1 ” and then “select 1,2” a bit annoying, and comes back with false positive all the time. What if this one time this check is actually not a false positive, will you be able to distinguish?

Do you know how different LDAP servers (e.g. open LDAP, ADAM) behave when you send crafted LDAP query. XPath injection when API supports XPath2.0 , allows extraction of not just current XML document but any arbitrary xml file. And what if I tell you, that it’s not just arbitrary xml files, you can actually extract any file. Do you think commercial tools do a good job in identifying these? May be you should be read more here….

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project.

Even the 2013 Release candidate, has retained injection flaw as still the top threat.

In this course we talk about Injection Flaws (A1) and only Injection Flaws. That is no XSS, no CSRF, no CRLF etc. We cover the injection flaws inside-out and provide an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are:

  • SQL Injection
  • XPATH Injection
  • LDAP Injection
  • Hibernate Query Language Injection
  • Direct OS Code Injection
  • XML Entity Injection

During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Of-course we cover the mitigation part as well.

I am disclosing some content from the course:

XPath 2.0 Injection: Last year at Black hat Europe, me and my colleague Tom Forbes did a talk on XPath Injection when the API supports XPath 2.0 ( 2.0 is the latest addition to the XPath API and the additions brings loads of function. This means a XPath 2.0 injection allows quicker extraction of data. So, if you found a XPath 2.0 injection you can extract the entire xml file and you can do it far quicker because it supports ascii functions. Further, the 2.0 API supports a function called doc() function which lets you parse and process xml files outside the current xml document.  This is where fun starts. In the talk, we showed attack vectors by which an attacker can make use of this doc function to achieve the following:

  • read not just current xml file but any arbitrary xml file on file system
  • use the doc function as a web client and make the back-end application issue HTTP/DNS request and thus extract the back-end xml files far quickly. In-fact, we showed 1 request to dump it all, because we thought it was cool..

Since, then we learnt a new attack vector by which we can make our vulnerable XPath application return not just arbitrary xml file but any file (ala /etc/passwd or c:\boot.ini). The way, the attack works is as following:

1. We make the vulnerable XPath application read the attacker controlled xml file

2. The attacker’s file defines an external entity which refers to the arbitrary file you want to read (like /etc/passwd)

3. The vulnerable application reads our attacker controlled xml file and process the local resource (i.e. vulnerable server’s /etc/passwd) which we read again using the doc method.

4. And to speed this all up, we can use OOB extraction again by calling the doc function in a different way.

All in all, this dumps any arbitrary file from vulnerable server. Tom wrote a tool to automate it and it actually works like a charm. Tool can be found here:

So, that’s just a small insight into XPath Injection.  If you do web application security pentest, then this course is ideal for you and  dives deep into examples where the modern web app scanners (Burp Professional, WEB-I****** etc) miss these issues. Examples, 2nd order injection, double encoding/decoding, HQLI, ORM Injection etc.

That’s all I am prepared to give away at this stage 🙂

The registration page can be found here:

See you at Black Hat Vegas !!

Submitted by Sid. Reach Sid’s Blog at

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"