The attack, therefore, results in having the attacker logged in (as the

first user listed in the XML document), although the attacker did not

provide any valid user name or password.

References

"XML Path Language (XPath) Version 1.0    W3C Recommendation,

16 Nov 1999

http://www.w3.org/TR/xpath

 Encoding a Taxonomy of Web Attacks with Different Length Vectors 

  G. Alvarez and S. Petrovic

http://arxiv.org/PS_cache/cs/pdf/0210/0210026.pdf

"Blind XPath Injection"   Amit Klein

http://www.sanctuminc.com/pdfc/WhitePaper_Blind_XPath_Injection_

20040518.pdf

5   I n f o r m a t i o n   D i s c l o s u r e

The Information Disclosure section covers attacks designed to

acquire system specific information about a web site. System specific

information includes the software distribution, version numbers, and

patch levels. Or the information may contain the location of backup

files and temporary files. In most cases, divulging this information is

not required to fulfill the needs of the user. Most web sites will reveal

a certain amount of data, but it's best to limit the amount of data

whenever possible. The more information about the web site an

attacker learns, the easier the system becomes to compromise.

5.1  Directory Indexing

Automatic directory listing/indexing is a web server function that lists

all of the files within a requested directory if the normal base file

(index.html/home.html/default.htm) is not present.  When a

user requests the main page of a web site, they normally type in a

44

Copyright 2004, Web Application Security Consortium. All rights reserved.