XPath Injection

Overview XPath Injection may result when an application uses user input to form an XPath query string, then passes that query string to an XPath search. Discovery Methodology Attempt to inject XML reserved characters into input parameters and observe if XML parsing errors are generated. Make a list of input parameters that appear to be passed into an XML parser based on ths feedback. For web services, check each input parameter specified in the WSDL or WADL document for those of type XML. Exploitation Use information disclosed in error messages to determine at what file path the XML parser is parsing. Try to cause errors to occur using malformed XML, XML reserved characters, XML that starts with whitespace or null characters, and XML that does not meet the XSL specification. Example Try this example in the username field admin' or '1' = '1