Additional information (xp)

Xpath injection

This is a type of attack in which a malicious query to specifically an XML-file is being send that can unlock certain areas of this file containing sensitive information like passwords, user-data etc. Often the XML-file is first being compromised to get an idea of the structure and to find out where the sensitive data sits.
Mostly, large numbers of data are being stored in a database, but sometimes this is done with an XML text-file which can be accessed by an intruder.
Prevention typically exists of validating every user-input towards queries and not using XML-files for storing sensitive information.
 

Footnotes: