22 Feb, 2024

SQL injection with filter bypass via XML encoding

SQL injection with filter bypass via XML encoding

SQL injection with filter bypass via XML encoding is a sophisticated cyber attack technique where an attacker exploits a web application’s SQL query processing vulnerability. This is done by injecting malicious SQL queries into the application, which are crafted using XML encoding to evade detection by security filters or input validation mechanisms that the application might employ.

In this type of attack, the attacker leverages the fact that many web applications accept XML input or support XML in some form, such as in web services or SOAP-based APIs. The malicious SQL code is encoded in a way that conforms to XML syntax rules, making it less likely to be caught by simple input sanitization routines that do not properly handle or decode XML-encoded data.

The attacker’s goal is typically to manipulate the application’s database queries in a way that allows unauthorized access to sensitive data, modification of data, or even database schema alterations. The use of XML encoding in this context serves as a smokescreen, making the malicious payloads appear benign to security systems that are not configured to decode and inspect XML-encoded content for SQL injection payloads.

Examples of exploitation

To better understand the vulnerability, we will review the lab on “SQL Injections with Filter Bypass via XML Encoding”. This lab is a hands-on lab aimed at learning how to bypass filtering systems when performing SQL injections using XML encoding. In this lab, the SQL injection vulnerability is found in the stock availability check function. The results of the query are displayed in the application response, allowing a UNION attack to be used to extract data from other database tables.

The database has a users table containing usernames and passwords of registered users. The task of the laboratory is to perform an SQL injection to obtain the credentials of a user with administrator rights, and then log in to his account.

For this lab work, we will be using the Hackvertor extension.

Let’s start by exploring the query function to check for availability.

Let’s move our query to Repeater for convenience. And let’s try to enter a standard payload to find out how many columns there are in the table.

We get a 403 and an “Attack detected” message. Ok, now let’s use the Hackvector tool and encode our payload using the hex_entities method.

Let’s send this request and see if we managed to bypass the WAF.

Ok, we have successfully bypassed the WAF, now let’s find out how many columns the database outputs. We will do it with this command 1 UNION SELECT NULL —.

We have learnt that only 1 column is used in the table, but we need to find out 2 values, let’s use portswigger cheat sheet for this task. The finished payload looks like this 1 UNION SELECT username||’~’||password from users–

Let’s use this information and log into the administrator account to run the lab.

Scanners that detect vulnerabilities

  1. OWASP ZAP (Zed Attack Proxy): It’s an open-source web application security scanner that can detect various vulnerabilities including SQL injection.

  2. SQLmap: This tool automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

  3. Burp Suite: A popular integrated platform for performing security testing of web applications which includes the detection of SQL injection vulnerabilities.

  4. Acunetix: A fully automated ethical hacking solution that mimics a hacker to keep one step ahead of malicious intruders.

  5. Netsparker: A web application security scanner that claims to deliver precise vulnerability detection.

  6. w3af: An open-source web application security scanner which has the ability to detect SQL injection.

  7. SQLninja: A tool focused on exploiting SQL injection vulnerabilities on a web application that uses Microsoft SQL Server.

  8. WebInspect: A web application security assessment tool by Micro Focus that identifies known and unknown vulnerabilities.

  9. AppScan: A tool by HCL software that performs dynamic application security testing and static code analysis.

  10. Arachni: A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

Average CVSS score for SQL injection with filter bypass via XML encoding

The average Common Vulnerability Scoring System (CVSS) score for SQL injection vulnerabilities can vary widely depending on the specific nature of the vulnerability and the context in which it is found. However, looking at different instances of SQL injection vulnerabilities can give us a sense of the potential severity.

For instance, a SQL injection vulnerability in the “evoadm.php” component of b2evolution v7.2.2-stable was given a CVSS base score of 8.8, which is considered high. The vulnerability allowed remote attackers to obtain sensitive database information by injecting SQL commands into a parameter when creating a new filter under the “Collections” tab​​.

Another example is the SQL Injection vulnerability reported in Casdoor, which affected versions before 1.13.1 release and was given a CVSS V3 score of 7.5, also indicating high severity​​.

Furthermore, an SQL injection vulnerability through authentication bypass in Online Reviewer System 1.0 was assigned a CVSS base score of 9.8, which is classified as critical. This indicates the vulnerability could lead to more severe impacts such as a reverse shell upload​​.

These examples show that SQL injection vulnerabilities are often regarded as high or critical in terms of severity, which is reflected in their CVSS scores. It’s important to note that each vulnerability will have its own CVSS score based on its unique characteristics, and the scores for SQL injection with filter bypass via XML encoding would need to be assessed on a case-by-case basis. The scores mentioned provide a general idea that such vulnerabilities are taken very seriously due to their potential to compromise systems significantly.

CVES related to SQL injection with filter bypass via XML encoding

CVE-2022-24124: This vulnerability was discovered in Casdoor before version 1.13.1. It is a high severity SQL Injection vulnerability due to insufficient validation of user inputs in the field parameter. Attackers could exploit this by injecting SQL queries into the field parameter of the /api/get-organizations endpoint, potentially leading to significant information disclosure or system compromise. The CVSS V3 score for this vulnerability is 7.5, reflecting its high severity​​.

CVE-2021-27130: This critical SQL injection vulnerability affects Online Reviewer System 1.0. It allows attackers to bypass authentication mechanisms, potentially leading to unauthorized command execution or reverse shell upload, indicating a high risk of a complete system compromise.

CVE-2021-28242: In the b2evolution platform v7.2.2-stable, this vulnerability involves SQL injection via the “cf_name” parameter. Attackers can exploit this to access or manipulate database information, leading to a significant breach of data confidentiality and integrity.

CVE-2022-24124: This vulnerability in Casdoor versions prior to 1.13.1 allows attackers to inject malicious SQL through the application’s insufficiently validated input fields. Successful exploitation could enable attackers to perform unauthorized database operations, posing a substantial threat to data security.

To study SQL injection with filter bypass via XML encoding

  1. Platforms like Udemy and Coursera feature courses tailored for different levels, from beginners to advanced professionals, focusing on web security. These courses often include modules on SQL injection, explaining both the theory and demonstrating real-world attack scenarios.

  2. “The Web Application Hacker’s Handbook” is a staple in the field, offering detailed insights into various hacking techniques, including SQL injection. It serves as both a learning tool and a reference guide for professionals.

  3. OWASP is a key resource for anyone interested in web security, providing up-to-date information on vulnerabilities, including advanced SQL injection techniques, and offering best practices for secure coding.

  4. Hack The Box and PortSwigger’s Web Security Academy offer hands-on labs that simulate real-world vulnerabilities, allowing learners to practice SQL injection attacks in a controlled environment.

  5. Events like DEF CON and Black Hat not only facilitate networking with cybersecurity professionals but also offer workshops and talks that delve into the latest security research and advanced hacking techniques.

How to be protected from SQL injection with filter bypass via XML encoding

  1. Use Prepared Statements (Parameterized Queries):
    The most effective way to prevent SQL injection is to use prepared statements with parameterized queries. This approach separates SQL logic from the data, making it nearly impossible for an attacker to alter the intent of a query, even with encoded input.

  2. Apply Whitelisting for Input Validation: Validate and sanitize all user inputs based on what is expected (e.g., alphanumeric for names). Reject any input that does not strictly conform to these expectations.

  3. Encode Data: When user input is reflected in HTML, JavaScript, URL, or any other output context, ensure proper encoding is applied to make the input safe for that context. For instance, HTML entities encoding can prevent XSS, which is often used in conjunction with SQL injection.

  4. Use ORM Frameworks: Object-Relational Mapping (ORM) frameworks like Hibernate, Entity Framework, or Django ORM abstract database interactions and typically use parameterized queries, reducing the risk of SQL injection.

  5. Implement Proper Error Handling: Customize error messages to prevent leakage of database information. Generic error messages help avoid giving attackers clues about the database structure or injection success.

  6. Keep Software Up-to-Date: Regularly update your database management system (DBMS), web server software, and any frameworks or libraries you use. Security patches often address vulnerabilities that could be exploited via injection.

  7. Use Database User Permissions Wisely: Limit the database permissions for the application user. Ideally, this user should only have permissions necessary for its operation, like SELECT, INSERT, UPDATE, DELETE, and avoid administrative-level permissions like ALTER, DROP, or GRANT.

  8. Conduct Regular Security Audits and Code Reviews: Periodically review your application’s code for security vulnerabilities and use automated tools to help identify potential SQL injection flaws.

  9. Understand and Mitigate XML-specific Threats: If your application uses XML inputs, ensure that:

    XML parsers are configured securely, disabling features like external entity references that could be exploited.

    Inputs within XML documents are validated and sanitized just as rigorously as any other user input.

  10. Educate and Train Developers: Ensure that everyone involved in developing the web application is aware of the risks associated with SQL injection and the best practices for preventing it.


In conclusion, the complexities of SQL injection with filter bypass via XML encoding demonstrate a challenging cybersecurity landscape. The discussed techniques highlight the creativity and persistence of attackers in circumventing traditional security measures. It’s clear that a multi-layered defense strategy, including both preventative measures such as parameterized queries and active detection with updated WAF configurations, is essential. Continuous education and the use of comprehensive security tools play a crucial role in safeguarding against such sophisticated attacks. This synthesis of theory, hands-on practice, and real-world examples provides a robust framework for understanding and defending against SQL injection threats in today’s dynamic and interconnected digital environment.

Other Services

Ready to secure?

Let's get in touch