XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This attack is similar to SQL injection, (guideline IDS07-J. Prevent SQL Injection) wherein an attacker can enter valid SQL constructs into the data fields of the query in use. Typically, the conditional field of the query resolves to a tautology or gives the attacker access to privileged information. This rule guideline is a specific example of the broadly scoped guideline IDS00-J. Always validate user input.
...
Search for vulnerabilities resulting from the violation of this rule guideline on the CERT website.
Bibliography
...