...
Consider the following example in which a login and password are read from the user and used to construct the query string, in the context of the attack illustrated above.
| Code Block | ||
|---|---|---|
| ||
import java.io.IOException; import org.w3c.dom.*; import org.xml.sax.SAXException; import javax.xml.parsers.*; import javax.xml.xpath.*; public class XpathInjectionExample { public boolean doLogin(String loginID, String password) throws ParserConfigurationException, SAXException,IOException, XPathExpressionException { DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); domFactory.setNamespaceAware(true); DocumentBuilder builder = domFactory.newDocumentBuilder(); Document doc = builder.parse("users.xml"); XPathFactory factory = XPathFactory.newInstance(); XPath xpath = factory.newXPath(); XPathExpression expr = xpath.compile("//users/user[login/text()='" + + loginID +"'" + "and password/text()='"+password+"' ]")"; Object result = expr.evaluate(doc, XPathConstants.NODESET); NodeList nodes = (NodeList) result; // print first names to the console for (int i = 0; i < nodes.getLength(); i++) { System.out.println(nodes.item(i).getNodeValue());} return (nodes.getLength() >= 1); } } |
...