well, after a really long time I logged into my account and HellBoundHackers and I found one very interesting challenge that is new for me, Web Hacking Basic 29, why am I writing this here? Because to win the challenge you have to use XPath Injection. XPath Injection is very powerful attack (something in way of SQL Injection) and attacker can log into your xml-based database with no knowledge of usernames/passwords, view contents of your xml database and change its content.
Very good description can be found here http://www.webappsec.org/projects/threat/classes/xpath_injection.shtml I hope this will help many programmers to more secure their apps :)
