I was recently using xcat on an assessment, and I found it to be the most functional of all the xpath injection tools I could find. There are a couple features I would find particularly useful:
1) Dictionary matching on xml. Right now xcat blindly tries all characters for each location. However, some common words like "text" are very likely to show up. Especially when xcat retrieves "te" I think it would greatly speed up an attack if xcat would try to anticipate the next letter based on a small dictionary of likely words.
2) On the application I was testing, the session kept getting dropped by the application. To deal with this, and xcat's inability to understand a session, I ran xcat through Burpsuite and had Burp do session detection and auto login via a macro. The problem is that the occassional session drops would still result in xcat fudging on certain characters in the output. A nice feature would be to tell xcat to detect a specific string and reissue the request if that string is detected in the output. For instance, maybe if the string "login.php" or "Error" appears in the request, you want the request to be repeated. This is different than a false boolean result. In my case I to effect this change with a quick and dirty hack:
# lib\requestor.py (around line 85):
while 'login.php' in body:
response, body = yield from self.send_raw_request(payload)
3) Session state restore. This would be a huge win in my book. Right now, if xcat breaks, or you have to cancel an attack, your are stuck with starting over completely. I wish you could feed xcat the xml output of a previous attack and have it continue from the last character.
Hi,
I was recently using xcat on an assessment, and I found it to be the most functional of all the xpath injection tools I could find. There are a couple features I would find particularly useful:
1) Dictionary matching on xml. Right now xcat blindly tries all characters for each location. However, some common words like "text" are very likely to show up. Especially when xcat retrieves "te" I think it would greatly speed up an attack if xcat would try to anticipate the next letter based on a small dictionary of likely words.
2) On the application I was testing, the session kept getting dropped by the application. To deal with this, and xcat's inability to understand a session, I ran xcat through Burpsuite and had Burp do session detection and auto login via a macro. The problem is that the occassional session drops would still result in xcat fudging on certain characters in the output. A nice feature would be to tell xcat to detect a specific string and reissue the request if that string is detected in the output. For instance, maybe if the string "login.php" or "Error" appears in the request, you want the request to be repeated. This is different than a false boolean result. In my case I to effect this change with a quick and dirty hack:
3) Session state restore. This would be a huge win in my book. Right now, if xcat breaks, or you have to cancel an attack, your are stuck with starting over completely. I wish you could feed xcat the xml output of a previous attack and have it continue from the last character.