LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What is XPATH injection and how can it be prevented?

Same idea as SQL injection, but the interpreter is an XPath engine querying an XML document — break out of the query string to return data you shouldn't see. Prevent it by XML-encoding input before building the query.

XPATH injection exploits XML document queries similar to SQL injection.

Example XML query:

/employees/employee[@id='EMPLOYEE_ID']

If EMPLOYEE_ID is ' or '1'='1, the query becomes:

/employees/employee[@id='' or '1'='1']

This returns all employees instead of just one.

Prevention:

  • Use XML encoding before applying XPath
  • ' becomes '

From Quiz: SPRG / Input Validation & Output Encoding | Updated: Jun 20, 2026