> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/web-vulns/xpath-injection.md).
# XPath injection
***
XPath is a language that has been designed and developed primarily to address parts of an XML document. In XPath injection testing, we test if it is possible to inject XPath syntax into a request interpreted by the application, allowing an attacker to execute user-controlled XPath queries. When successfully exploited, this vulnerability may allow an attacker to bypass authentication mechanisms or access information without proper authorization. **XML databases use XPath as their standard query language.** XPath injection attacks can be much more adaptable and ubiquitous. Another advantage of an XPath injection attack is that, unlike SQL, no ACLs are enforced, as our **query can access every part of the XML document**.
## Testing
Let’s assume that our database is represented by the following XML file:
```xml
qasem
!c3
admin
oamr
w1s3c
guest
khaled
Un6R34kb!e
guest
```
An XPath query that returns the account whose username is `qasem` and the password is `!c3` would be the following:
```txt
string(//user[username/text()='qasem' and password/text()='!c3']/account/text())
```
The XPath injection will be (if no input sanitization)
```txt
Username: ' or '1' = '1
Password: ' or '1' = '1
```
```txt
string(//user[username/text()='' or '1' = '1' and password/text()='' or '1' = '1']/account/text())
```
## Blind XPath injection
Blind XPath Injection attacks can be used to extract data from an application that embeds user supplied data in an unsafe way. This attack is used when no knowledge about the structure of the XML document, or perhaps error message are suppressed, and is only **able to pull once piece of information at a time by asking true/false questions(booleanized queries)**.
## Boolenization
Using a `string-length(S)` function, where S is a string, the attacker may find out the length of this string. With the appropriate number of `substring(S,N,1)` function iterations, where *S is a previously mentioned string*, N is a start character\*, \*and *“1” is a next character counting from N character*, the attacker is able to enumerate the whole string.
> exploitation:
### Whitepapers
* [Amit Klein: “Blind XPath Injection”](http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf)
* [XPath 1.0 specifications](https://www.w3.org/TR/1999/REC-xpath-19991116/)
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/web-vulns/xpath-injection.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.