XML/XPath Injection (Search) – (bWAPP Level: Low)


Hello Cyberman,

This article subject XML/XPath Injection vulnerability on web app. 

What Is The XPath Vulnerability?

First, we need learning to XML. It is possible to summarize with a quote from Wikipedia below.

XML; Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. 

Yes, as seen as. XML be run in websites. You’re lucky if you find a run xml in websites. Because XML XPath injection be dangerous than SQL Injection.

Let’s a look, for try we use bWAPP app. (If you not know bWAPP, please look it.

 So, as seen as above picture setup it in bWAPP. In XPath, XML and XML-structured documents, accessing data elements is a general rule of the W3C. 

There is an xml file on this page. And this website reads xml. While reading, it gives results with query sentences. “What is this query?” If you say, these queries work with certain rules to read XML, like SQL, but more fixed.
For example: If you want to get for the last value of the query; “/bookstore/book[end()]”
This example has the “book” value under the “bookstore” tag.

Example is XML:
            Romeo And Juliet

It is supported in many software languages in XPath.
bWAPP is designed with PHP language. And the code stack is as below.

Now let’s think differently and if we put a special ( ‘ ) sign in the “$genre” variable, the query may break and we can load new queries. We can read all the values of the XML file.

We doing normal a search. Result under.

See image above for result. That listed us action movies. There is a variable in the URL field “?genre=action&action=search” that expects a value called “genre” as a variable.

We enter to string value: ‘)] | //password%00


Values in the “Password” tag are listed. XML file as below:

You can get all values in XML tags this way.

If you are interested another source I think look it:


Example list for XPath queries: https://devhints.io/xpath  

Have a nice day with lots of informatics 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *