Re: Tester appears to be broken

134 views
Skip to first unread message
Message has been deleted

Anatoliy Artemenko

unread,
Apr 24, 2017, 2:55:57 PM4/24/17
to xpath...@googlegroups.com
Hi,

seem to work fine. Got:

<SectionText><![CDATA[<br /><b>Vendor:</b><br /><a href="http://support.springsource.com/security/cve-2011-2730">SpringSource</a><br /><br /><b>Advisory:</b><br /><a href="http://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf">Expression Language Injection</a><br /><br /><b>CVE:</b><br /><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730">CVE-2011-2730</a><br /><br /><b>Expression Language:</b><br /><a href="http://jsp.java.net/spec/jsp-2_1-fr-spec-el.pdf">Expression Language Specification</a><br />]]></SectionText>

from the samples you provided.

br,
  anatoliy

On Mon, Apr 24, 2017 at 7:43 PM, <therealab...@gmail.com> wrote:
Hello, last week I used the xpathtester app without any issue, but is appears that the XPath namespace used only last week no longer works. The XML used:

<?xml version="1.0" encoding="UTF-8"?>

<Scan>
  <Issues>
    <Issue>
      <CheckTypeID>Vulnerability</CheckTypeID>
      <EngineType>CUSTOM</EngineType>
      <Scheme>https</Scheme>
      <Host>fakewebsite.com</Host>
      <Port>443</Port>
      <AttackMethod>POST</AttackMethod>
      <AttackParam>parent_id</AttackParam>
      <VulnerableSession><![CDATA[POST]]></VulnerableSession>
      <TriggerSession/>
      <VulnerabilityID>11310</VulnerabilityID>
      <Severity>3</Severity>
      <Name>Expression Language Injection</Name>
      <ReportSection>
        <Name>Summary</Name>
        <SectionText><![CDATA[WebInspect has detected an Expression Language (EL) injection vulnerability. EL injection vulnerabilities are introduced when an application fails to sufficiently validate untrusted user data before assigning it to attribute values of certain Spring MVC JSP tags. <br /><br />

Expression Language allows JSP pages to easily access application data stored in user-defined JavaBeans components as well the implicit objects. In addition, JSP pages can also invoke arbitrary public and static methods and perform arithmetic operations using EL expressions. 
<br /><br />

By allowing attackers to inject EL expressions through insufficiently validated user input, an application could grant unauthorized access to sensitive application and server information. Expression Language injection could also let attackers bypass HTTPOnly access restrictions imposed on cookies by exploiting access to the implicit <i><b>cookie</b></i> object made available in EL expressions.
<br /><br />

The affected spring framework versions include
<ul><li>3.0.0 to 3.0.5</li><li>2.5.0 to 2.5.6.SEC02 (community releases)</li><li>2.5.0 to 2.5.7.SR01 (subscription customers)</li></ul>]]></SectionText>
      </ReportSection>
      <ReportSection>
        <Name>Implication</Name>
        <SectionText><![CDATA[Expression Language injection vulnerabilities can be used to steal sensitive application information as well as bypass HTTPOnly cookie access restrictions. The impact depends on the information available within the application's context.]]></SectionText>
      </ReportSection>
      <ReportSection>
        <Name>Execution</Name>
        <SectionText><![CDATA[<br />Click <a href="~FullURL~">~FullURL~</a> to verify the vulnerability in a web browser.]]></SectionText>
      </ReportSection>
      <ReportSection>
        <Name>Fix</Name>
        <SectionText><![CDATA[<br />The vulnerability can be fixed by upgrading to Spring framework versions 3.1 and above. <br /><br /> For versions below 3.1 (3.0.6 onwards, 2.5.6.SEC03 onwards and 2.5.7.SR02 onwards), set the value of <i><b>springJspExpressionSupport</b></i> context parameter to <i><b>false</b></i>.]]></SectionText>
      </ReportSection>
      <ReportSection>
        <Name>Reference Info</Name>
        <SectionText><![CDATA[<br /><b>Vendor:</b><br /><a href="http://support.springsource.com/security/cve-2011-2730">SpringSource</a><br /><br /><b>Advisory:</b><br /><a href="http://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf">Expression Language Injection</a><br /><br /><b>CVE:</b><br /><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730">CVE-2011-2730</a><br /><br /><b>Expression Language:</b><br /><a href="http://jsp.java.net/spec/jsp-2_1-fr-spec-el.pdf">Expression Language Specification</a><br />]]></SectionText>
      </ReportSection>
      <HighlightSelections>
        <Selection>
          <Index>100</Index>
          <Length>14</Length>
        </Selection>
      </HighlightSelections>
      <RawResponse><![CDATA[HTTP/1.1 200 OK]]></RawResponse>
    </Issue>
  </Issues>
</Scan>



Sample XPath namespace that worked one week ago:
/Scan/Issues/Issue/ReportSection/SectionText[contains(., 'name=')]


Previously, using this namespace would return the final SectionText. Currently, however, it returns "ERROR - Seem there is no XPath provided?". Testing the same XML and namepace on another XPath testing web app, http://www.freeformatter.com/xpath-tester.html, returns the correct SectionText only.

--
You received this message because you are subscribed to the Google Groups "XPath Tester help center" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xpathtester+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages