Applies to ReadyAPI 2.7, last modified on May 14, 2019

About

The XPath Injection scan checks how your service handles incorrect or malicious XPath queries.

Typically, attackers try to use the XPath injection to find out the structure of XML data or access sensitive data. The XPath Injection scan simulates such requests, ensuring your server does not reveal any information that may be useful in further attacks. For example, your users’ information is stored in the XML file:

The XML file with information about users

The authentication code composes an XPath query as follows:

String xpathQuery = "//user[name/text()='" + request.get("username") + "' And password/text()='" + request.get("password") + "']";

Perform an XPath injection attack to the service using the following code as the username:

lol' or 1=1 or 'a'='a

If the scan does not reveal any information about possible vulnerabilities, it passes successfully.

If the scan has Failed, that may indicate your service is vulnerable to XPath attacks or cannot handle the authorization routines correctly.

Requirements

This scan is applicable to all types of test steps or requests.

How it works

The XPath Injection scan tries to attack the web service by replacing the original parameters of a test step with malicious strings, which exposes potential flaws in that service.

This scan uses assertions to validate each response and check if it includes any information about potential vulnerabilities.

If a response passes all assertions, PASS will be logged for that response. If any assertion fails, FAIL will be logged.

If you have not applied any assertions to the scan, Unknown will be logged for the response.

What it does

The XPath injection security scan tries to attack a web service by replacing the original parameters of a test step with malicious strings designed to expose potential flaws in web services that use user input in XPath expressions. Using assertions, you can ensure that the attack did not expose sensitive data, return the session ID, and so on.

Assertions

  • Default Assertion
    Sensitive Information Exposure – Verifies that your server does not reveal any information that is useful for attacks (such as stack traces if the server crashes).

  • Recommended Assertion
    Valid HTTP Status Codes – Verifies that the request does not return a 5xx status code (a server error).

Parameters

The XPath injection scan inserts values into the message parameters.

ReadyAPI: Configuring the XPath Injection scan

Normally, parameters are extracted automatically when you create the Scan. If there are no parameters present, ReadyAPI will not run the XPath Injection scan. See the Parameters section for more information.

Use the following options to configure the scan Strategy:

Option Description
Select Strategy One by One – Select to use requests one by one (may take some time).
All At Once – Select to use all requests at once.
Request Delay (ms) Set a pause between requests during the scan in milliseconds.
Apply to Failed TestSteps Select to run the scan even if the target test step fails.
Run only once Select to run the scan only once for each test step, even if ReadyAPI runs that step several times for a test case.

On the Advanced panel, review and edit the list of malicious strings used by the XPath Injection scan.

ReadyAPI: XPath Injection scan advanced options
To... Do the following...
Add one or more strings Click and enter a list of strings in the Import Strings dialog. Click OK.
Each line will appear as a separate string.
Replace all strings Click and enter a new list of strings in the Import Strings dialog.
Select Remove existing injection strings and click OK.
Each line will appear as a separate string and all previous strings will be removed.
Edit a string Select the line you want to edit and click . Specify the new value and click OK.
Delete a string Select the line you want to delete and click . Confirm your choice.

See Also

SQL Injection Scan
Sensitive Information Exposure Assertion
Valid HTTP Status Codes Assertion
Security Scans Types

Highlight search results