XML can be used for data storage in a manner similar to a relational database. Typically, data may be Data is frequently retrieved from such an XML document using XPaths. XPath injection can occur when data supplied to an Xpath retrieval routine to retrieve data from an XML document is used without proper sanitization. This attack is similar to SQL injection or XML injection (see the appropriate parts of IDS00-J. Sanitize untrusted data passed across a trust boundary) where an attacker can enter valid SQL or XML constructs in the data fields of the query in use. TypicallyIn typical attacks, the conditional field of the query resolves to a tautology or otherwise gives the attacker access to privileged information.
...
Because the '1'='1' is automatically true, the password is never validated. Consequently, the attacker is inappropriately authenticated as user Utah without having to know the passwordknowledge of user Utah's password.
Compliance with MSC51-J. Store passwords using a hash function requires encrypting the passwords. Unfortunately, many small systems fail to comply with MSC51-J so the password text added in the query string would match precisely what the user enters. An attacker could supply a password such as:
...