very good read. we need more stuff like this floating around our group. just curious, did you end up winning the challenge?
On Tue, Dec 15, 2009 at 3:10 AM, Processor-Dev1l <[email protected]>wrote: > well, after a really long time I logged into my account and > HellBoundHackers and I found one very interesting challenge that is > new for me, Web Hacking Basic 29, why am I writing this here? > Because to win the challenge you have to use XPath Injection. > XPath Injection is very powerful attack (something in way of SQL > Injection) and attacker can log into your xml-based database with no > knowledge of usernames/passwords, view contents of your xml database > and change its content. > > Very good description can be found here > http://www.webappsec.org/projects/threat/classes/xpath_injection.shtml > I hope this will help many programmers to more secure their apps :) >
