XPath Lab 2: Secret Extraction

• The app asks only for username, but the XPath query is still injectable.
• Try payloads that make the predicate true for more than one node.
• If you can alter node selection order, the first secret may leak.

XPath predicates decide which XML nodes are returned. Injecting boolean logic into the predicate can broaden matching and expose data from unintended nodes.