"As new technologies emerge and become well established so do threats against those technologies. Blind SQL injection attacks are a well know and recognized form of code injection attack, but there are many other forms, some not so well documented or understood. An emerging code injection attack is the XPath injection attack, which takes advantage of the loose typing and forgiving nature of XPath parsers to allow malcontents to piggyback malicious XPath queries on URLs, forms, or other methods to gain access to privileged information and change it.
This article looks at how XPath attacks are usually carried out and provides an example in Java™ and XML environments. It discusses how to detect such threats, looks at what you can do to mitigate the threat, and finally discusses what you can do in response to a suspected penetration."