"This paper describes a Blind XPath Injection attack that enables an attacker to extract a complete XML document used for XPath querying - without prior knowledge of the XPath query. The attack is "complete" since all possible data is exposed. The attack
makes use of two techniques -- XPath crawling, and Booleanization of XPath queries. Using this attack, it is possible to get hold of the XML "database" used in the XPath query.
This can be most powerful against sites that use XPath queries (and XML
"databases") for authentication, searching, and other uses."PDF: Blind XPath Injection