"As new technologies emerge and become well established so do threats against those technologies. Blind SQL injection attacks
are a well know and recognized form of code injection attack, but there are many other forms, some not so well documented or
understood. An emerging code injection attack is the XPath injection attack, which takes advantage of the loose typing and
forgiving nature of XPath parsers to allow malcontents to piggyback malicious XPath queries on URLs, forms, or other methods
to gain access to privileged information and change it.
This article looks at how XPath attacks are usually carried out and provides an example in Java™ and XML environments. It
discusses how to detect such threats, looks at what you can do to mitigate the threat, and finally discusses what you can do
in response to a suspected penetration."
Article Link: http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html
