This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category talk:OWASP XML Security Gateway Evaluation Criteria Project

Jump to: navigation, search

Here is the outline I propose of evaluation categories:

1.Performance - critical for edge device parsing xml steam and performing de/encryption, signing

2. Administrative 
a) Audit and Logging
b) Monitoring
c) General
 - security of product's components, interfaces, hardware compliance
 - ease of use, installation

3. XML Gateway capabilities
Routing capabilities available
Supporing for WS-routing, WSCI, WS-Coordination, WS-Security, WS-SecureConversation, etc) 
4. XML Firewall capabilities
XML threats covered 
   a) Unauthorized access
     - Authentication (WS-Security token replay)
     - Auth/Authorization (Canonicalization of inputs, principle spoofing, modification of SAML attributes)
     - Interoperability with rights/privilege standards (XACML, WS-Policy)
     - Interoperability with authentication SSO (SAML, WS-Federation, ADFS. XKMS)
     - unsafe code (format string, CSS, parameter tempering, buffer overflow, sql injection, race conditions, malformed content)
     - malicious code (virus scanning)
   b) Data Tempering
      - message capture/update/replay ( checksum spoofing, principle spoofing, timestamp spoofing, canonization for DSig, intelligent tampering)
      - unsafe application code (SQL injection)
   c) Information Disclosure
     - probing (eavesdropping, forceful browsing, directory traversal, WSDL scanning, error messages, registry disclosure)
     - external reference (Schema poisoning, routing detours, external entity)
     - unsafe application code (XML Injection, URL String attack, external references)
   d) Denial of Service
     - coercive parsing (recursive payloads, oversized payloads, replay-flooding)
     - unrestrained registries ( UDDI, ebXML Spoofing)
     - unsafe application code (inadvertent XML parsing DoS)