XPath Injection (Part 1)

XPath is used to create queries which allow users to manipulate data inside a XML document. In this tutorial, we'll start with the basics of XPath queries to understand them better. Later on, we'll move onto the injecting part.Below is a little introduction to XPath from the w3school to understand the terminology used in XPath Data Manipulation Language. Just as we need to know what a database is (tables, columns, data, queries, etc.) if we want to learn SQL injection, we need to understand the basic structures of XML to Inject into XPath queriesIn XPath, there are seven kinds of nodes:

1. element
2. attribute
3. text
4. namespace
5. processing-instruction
6. comment
7. document

XML documents are treated as trees of nodes. The topmost element of the tree is called the root element.Look at the following XML document: Example of nodes in the XML document above:Atomic valuesAtomic values are nodes with no children or parentExample of atomic values:ItemsItems are atomic values or nodes.

---

Relationship of NodesParentEach element and attribute has one parent.In the following example, the book element is the parent of the title, author, year, and price: ChildrenElement nodes may have zero, one or more children.In the following example, the title, author, year, and price elements are all children of the book element: SiblingsNodes that have the same parent.In the following example, the title, author, year, and price elements are all siblings: AncestorsA node's parent, parent's parent, etc.In the following example, the ancestors of the title element are the book element and the bookstore element: DescendantsA node's children, children's children, etc.In the following example. descendants of the bookstore element are the book, title, author, year, and price elements:[divider]

Next: Xpath Injection Part 2

[divider]* Some examples used throughout this 3 part Xpath Injection series are from the w3schools website. *