Quiz Entry - updated: 2026.06.20
What is XPATH injection and how can it be prevented?
Same idea as SQL injection, but the interpreter is an XPath engine querying an XML document — break out of the query string to return data you shouldn't see. Prevent it by XML-encoding input before building the query.
XPATH injection exploits XML document queries similar to SQL injection.
Example XML query:
/employees/employee[@id='EMPLOYEE_ID']
If EMPLOYEE_ID is ' or '1'='1, the query becomes:
/employees/employee[@id='' or '1'='1']
This returns all employees instead of just one.
Prevention:
- Use XML encoding before applying XPath
'becomes'