XQuery injection is a variant of the classic SQL injection attack against the XML XQuery Language. XQuery injection uses improperly validated data that is passed to XQuery commands. The application unsafely incorporates user data into an XQuery or XPath pattern, which can change the logic of the query.
With the XQuery injection attack, queries execute commands on behalf of the attacker that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer.
Much like defending against SQL Injection attacks and cross-site scripting attacks, web security best practices across the software development life cycle and secure coding safeguards are essential. WhiteHat recommends staying aware of injection attacks examples and recent injection attacks to better keep an eye on hacking trends.