Re: XPath injection doubt

["Roshen Chandran" <roshen.chandran () paladion net>]

Anne Beckman wrote:
> But how does that additional OR clause with 
> 'hey'='hello solve the problem too?


The 3rd OR clause in the attack string makes the
password comparison clause irrelevant, much like the
way a comment made the AND clause irrelevant in SQL
Injection. 

AND has higher precedence than OR, so the AND clause
is first evaluated with 'hey'='hello' and returns
false.  After that all the OR clauses are evaluated.
Notice that 1=1 will always evaluate to true... so the
overall condition will evaluate to true even when the
password comparison fails.

The logic of the string is explained in better detail
in this Palisade article:
http://palisade.paladion.net/issues/2005Jul/xpath-injection/

Roshen.





------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------