Expected Findings
- Username is interpolated into the XPath expression.
- `' or '1'='1` matches every user node.
- Same XML store is queried for permissions.
XML Auth
XPath Injection
The legacy auth path runs an XPath query built by string concatenation, so `' or '1'='1` flips authentication into a tautology.
CWE-643
XPath probe
Primary Flows
- XPath login POST tautology
- Permissions probe Same flaw, returns admin perms
Signals
Query
expr = "/users/user[name='" + u + "' and pass='" + p + "']"