Many developers know to protect their code from SQL injection attacks. There's a wide body of knowledge about this type of attack.

XPath injection attacks are lesser known. This article shows how an injection attack occurs, and how to protect against it.

In an XPath application you might do the following, where strID and strPW are the user supplied user ID and passwords.

'//user[@id='" + strID +"'][@pw='" + strPW + '"]';

Normally, if the user supplies just simple text, it works, you need an exact match of both the ID and password. However if you construct a filter in just the right way it's possible to retrieve the first user in the XML file. For example, if you supplied this string a' or '1'='1 as both the ID an password, both filter clauses would succeed, and the query would return the first user in the file (yikes!).

Steps to avoid XPath injection

1. Inspect user data. Look for any non alpha numeric characters.
2. Check key fields used in queries for injection data. If your elements have a numeric key, simply check that it only contains numbers.
3. Guard sensitive transactions. After retrieving an XML node with XPath, manually compare the attributes returned. For example, after running the logon query, do a manual check that the @id field matches strID, same for @pw and strPW
4. Use LDAP for user ID / password data (as a more secure alternative)

The good news is that XPath is a query only language, and cannot update XML documents. A little protection goes a long, long way.