the-web-application-hackers-handbook

344 Chapter 9 n Attacking Data Stores
}
else
{
}
$logged_in=0;
$js is a JavaScript function, the code for which is constructed dynamically
and includes the user-supplied username and password. An attacker can bypass
the authentication logic by supplying a username:
Marcus’//
and any password. The resulting JavaScript function looks like this:
function() { return this.username == ‘Marcus’//’ & this.password == ‘aaa’; }
NOTE In JavaScript, a double forward slash (//) signifies a rest-of-line comment,
so the remaining code in the function is commented out.
An alternative means of ensuring that the $js function always returns
true, without using a comment, would be to supply a username of:
a’ || 1==1 || ‘a’==’a
JavaScript interprets the various operators like this:
(this.username == ‘a’ || 1==1) || (‘a’==’a’ & this.password ==
‘aaa’);
This results in all of the resources in the user collection being matched,
since the first disjunctive condition is always true (1 is always equal to 1).
Injecting into XPath
The XML Path Language (XPath) is an interpreted language used to navigate
around XML documents and to retrieve data from within them. In most cases,
an XPath expression represents a sequence of steps that is required to navigate
from one node of a document to another.
Where web applications store data within XML documents, they may use
XPath to access the data in response to user-supplied input. If this input is
inserted into the XPath query without any filtering or sanitization, an attacker
may be able to manipulate the query to interfere with the application’s logic or
retrieve data for which she is not authorized.
XML documents generally are not a preferred vehicle for storing enterprise data.
However, they are frequently used to store application configuration data that may
be retrieved on the basis of user input. They may also be used by smaller applications
to persist simple information such as user credentials, roles, and privileges.