XPath Lab 1: Login Bypass

• The query uses username and password directly in XPath.
• Try to close the quote and inject a boolean condition.
• A true condition can force the XPath filter to match an admin node.

XPath injection works like SQL injection. If user input is concatenated into an XPath expression, crafted payloads can alter boolean logic and bypass checks.