XPath injection: authentication¶

root-me challenge: XPath injection - Authentication: retrieve the administrator password.

Using Offensive Security Cheatsheet: XPath Injections:

username=John' or '1'='1&password=

Techniques¶

• SQL injection

• Server-side injection runbook

Counter moves¶

XPath injection: authentication is what this page works through. Server-side validation and least privilege are what these reduce to. The defender’s view can be found in the blue notes on the application layer as a target.