and password/text()= "+TextBox2.Text+

" ]/account/text())");

String account=Convert.ToString(nav.Evaluate(expr));

if (account=="") {

// name+password pair is not found in the XML document

// login failed.

} else {

// account found  > Login succeeded.

// Proceed into the application.

}

When such code is used, an attacker can inject XPath expressions,

e.g. provide the following value as a user name:

  or 1=1 or   = 

This causes the semantics of the original XPath to change, so that it

always returns the first account number in the XML document. The

query, in this case, will be:

string(//user[name/text()=   or 1=1 or   =   and

password/text()= foobar ]/account/text())

Which is identical (since the predicate is evaluates to true on all

nodes) to

string(//user/account/text())

Yielding the first instance of //user/account/text().

43

Copyright 2004, Web Application Security Consortium. All rights reserved.