XPath injection occurs when user input is concatenated into an XPath query used to navigate an XML document, such as an XML-based user store. By injecting XPath syntax an attacker can rewrite the query's logic to bypass authentication or extract arbitrary nodes, similar to SQL injection but against XML data instead of a database.
The generator produces classic tautology payloads such as ' or '1'='1 and ' or 1=1 or 'a'='a that force the login XPath expression to always return true. It also outputs comment and node-closing variants to break out of the surrounding string context and select the first user node regardless of the supplied password.
When no results are shown, use boolean-based blind payloads with substring() and string-length() to ask true/false questions, for example checking substring(//user[1]/password,1,1)='a'. The XPath Injection generator builds these along with count(//*) node-counting probes so you can walk the entire XML tree one inferred character at a time.
Yes, every payload is generated client-side in your browser at no cost, and nothing you enter is transmitted to a server. Use these XPath payloads only against XML-backed applications you own or have explicit authorization to test.