feature/xpath injection (#305)

Feature for 2 XPATH injection vulnerabilities - Present both in BE and
FE.

---------

Co-authored-by: Tamir Gershberg <[email protected]>

README.md

@@ -143,4 +143,10 @@ Additionally, the endpoint PUT /api/users/one/{email}/photo accepts SVG images,
 
 * **ID Enumeration** - There are a few ID Enumeration vulnerabilities:
   1. The endpoint DELETE `/users/one/:id/photo?isAdmin=` which is used to delete a user's profile picture is vulnerable to ID Enumeration together with [Broken Function Level Authorization](#broken-function-level-authorization).
-  2. The `/users/id/:id` endpoint returns user info by ID, it doesn't require neither authentication nor authorization.
+  2. The `/users/id/:id` endpoint returns user info by ID, it doesn't require neither authentication nor authorization.
+
+* **XPATH Injection** - The `/api/partners/*` endpoint contains the following XPATH injection vulnerabilities:
+  1. The endpoint GET `/api/partners/partnerLogin` is supposed to login with the user's credentials in order to obtain account info. It's vulnerable to an XPATH injection using boolean based payloads. When exploited it'll retrieve data about other users as well. You can use `' or '1'='1` in the password field to exploit the EP.
+  2. The endpoint GET `/api/partners/searchPartners` is supposed to search partners' names by a given keyword. It's vulnerable to an XPATH injection using string detection payloads. When exploited, it can grant access to sensitive information like passwords and even lead to full data leak. You can use `')] | //password%00//` or `')] | //* | a[('` to exploit the EP.
+  3. The endpoint GET `/api/partners/query` is a raw XPATH injection endpoint. You can put whatever you like there. It is not referenced in the frontend, but it is an exposed API endpoint.
+  4. Note: All endpoints are vulnerable to error based payloads.