|XPATH INJECTION TUTORIAL 2016|
If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:
Username: ' or '1' = '1
Password: ' or '1' = '1
Looks quite familiar, doesn't it? Using these parameters, the query becomes:
string(//Employee[uname/text()='' or '1' = '1' and passwd/text()='' or '1' = '1']/account/text())
As in a common SQL Injection attack, we have created a query that is always evaluated as true, which means that the application will authenticate the user even if a username or a password have not been provided.