New feature: HTB Academy Badges Learn More

Injection Attacks

This module covers three injection attacks: XPath injection, LDAP injection, and HTML injection in PDF generation libraries. While XPath and LDAP injection vulnerabilities can lead to authentication bypasses and data exfiltration, HTML injection in PDF generation libraries can lead to Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), and other common web vulnerabilities. We will cover how to identify, exploit, and prevent each of these injection attacks.


Created by vautia

Medium Offensive


There are many injection vulnerabilities, the most famous ones being SQL injection, cross-site scripting, and command injection. While these are certainly the most common in real-world web applications, other not-very-known injection vulnerabilities exist. Since these injection vulnerabilities are generally less common and less known, developers are more likely not to be aware of them and, therefore, be oblivious to the mitigations against them. If we can find a website that utilizes XPath, LDAP, or PDF generation libraries, testing it against these attacks might allow us to move forward in our engagements.

In more detail, this module covers the following:

  • XPath Injection:
    • Introduction to XPath Syntax
    • Exploitation of XPath injection to bypass authentication
    • Exploitation of XPath injection to exfiltrate data
    • Exploitation of blind and time-based XPath injections to exfiltrate data
  • LDAP Injection:
    • Introduction to LDAP syntax
    • Exploitation of LDAP injection to bypass authentication
    • Exploitation of LDAP injection to exfiltrate data
  • HTML Injection in PDF Generation Libraries
    • Introduction to HTML injection in PDF generation libraries
    • Exploitation of PDF generation vulnerabilities leading to Server-Side Request Forgery (SSRF)
    • Exploitation of PDF generation vulnerabilities leading to Local File Inclusion (LFI)

This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.

Introduction to Injection Attacks

Injection vulnerabilities have constantly been one of the most relevant and prevalent security issues. As such, they have been in the OWASP Top Ten every time since its first release in 2003. While some injection vulnerabilities are reasonably well known, for instance, SQL Injection, Command Injection, or Cross-Site Scripting (XSS), there are significantly more injection vulnerabilities, most of which are less well known. The more famous types of injection vulnerabilities are certainly more common, however, on the other hand, most developers are aware of them, and common web application frameworks by default prevent them effectively. Since there is less awareness of the less common injection vulnerabilities, defense mechanisms are often implemented incorrectly or not at all, leading to simple attack vectors that can be exploited without any need for security control bypasses or advanced exploitation techniques.

Injection Attacks

XPath Injection

XML Path Language (XPath) is a query language for Extensible Markup Language (XML) data, similar to how SQL is a query language for databases. As such, XPath is used to query data from XML documents. Web applications that need to retrieve data stored in an XML format thus rely on XPath to retrieve the required data. XPath Injection vulnerabilities arise when user input is inserted into XPath queries without proper sanitization. Like SQLi vulnerabilities, XPath injection jeopardizes the entire data as successfully exploiting XPath injection allows an attacker to retrieve the entire XML document.

LDAP Injection

Lightweight Directory Access Protocol (LDAP) is a protocol used to access directory servers such as Active Directory (AD). Web applications often use LDAP queries to enable integration with AD services. For instance, LDAP can enable AD users to authenticate to the web application. LDAP injection vulnerabilities arise when user input is inserted into search filters without proper sanitization. This can lead to authentication bypasses if LDAP authentication is incorrectly implemented. Additionally, LDAP injection can lead to loss of data.

HTML Injection in PDF Generators

Portable Document Format (PDF) files are commonly used for the distribution of documents. As such, many web applications implement functionality to convert data to a PDF format with the help of PDF generation libraries. These libraries read HTML code as input and generate a PDF file from it. This allows the web application to apply custom styles and formats to the generated PDF file by applying stylesheets to the input HTML code. Often, user input is directly included in these generated PDF files. If the user input is not sanitized correctly, it is possible to inject HTML code into the input of PDF generation libraries, which can lead to multiple vulnerabilities, including Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI).

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.