In this walk through, we will be going through the XML/Xpath Injection (Login Form) vulnerability section from bWAPP Labs. We will be exploring and exploiting XML/Xpath Injection in Login Form and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Security: Low
- Setting the security level to Low.
- The application consist of a login form which required superhero credentials to login in. As per the intercepted request, a GET request is being issued to xmli_1.php for the credentials check.
- I used the below payload in username and password field to bypass authentication.
' or '1'='1
Also Read: bWAPP – SQL Injection Stored (XML)
Conclusion:
So, we finally completed all the security levels for the bWAPP XML/Xpath Injection (Login Form) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential XML/Xpath Injection attacks by performing input sanitization and using secure XML parsing libraries. Along with that, we can configure XML parsers securely by disabling unnecessary features and restricting access to sensitive resources. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.