Home / Web Security / XPath Injection
High Severity

🟠 XPath Injection

CWECWE-643: XPath Injection
OWASPA03:2021 Injection

🧠 Description

XPath Injection attacks exploit applications that construct XPath queries from user input. Attackers can modify query logic to access unauthorized data or bypass authentication.

Impact: Data Extraction, Authentication Bypass

💣 Payloads

' or '1'='1
admin' or ''='
']//*[contains(name(),'admin')]
' and count(//user) > 0 and ''='

🛡️ Mitigation

✅ Use parameterized XPath queries

✅ Validate and sanitize input

✅ Use least privilege XPath context
Back to Web Security