|
|
| (48 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| − | == Introduction == | + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | Specifications for XML and XML schemas include multiple security flaws. At the same time, these specifications provide the tools required to protect XML applications. This provides a complex scenario for developers, and a fun environment for hackers. Even though we use XML schemas to define the security of XML documents, they can be used to perform a variety of attacks: file retrieval, server side request forgery, port scanning, or brute forcing. This talk will analyze how to infer new attack vectors by analyzing the current vulnerabilities, and how it is possible to affect common libraries and software. This cheatsheet will also provide recommendations for safe deployment of applications relying on XML.
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | =Authors and Primary Editors=
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html XML Security Cheat Sheet] to see the latest version of the cheat sheet. |
| − | | |
| − | [mailto:fernando.arnaboldi@ioactive.com Fernando Arnaboldi] | |
| − | | |
| − | = Malformed XML Documents =
| |
| − | | |
| − | The W3C XML specification defines a set of principles that XML documents must follow to be considered well formed. When a document violates any of these principles, the data it contains is considered malformed. Multiple tactics will cause a malformed document: removing an ending tag, rearranging the order of elements into a nonsensical structure, introducing forbidden characters, and so on. Without thorough testing, applications can be susceptible to vulnerabilities when supplied with malformed documents. Developers may not consider all of the potential types of inputs when designing software, since this is something normally found during the testing phase of a product.
| |
| − | | |
| − | In this example of a simple malformed document, the final ending tag is inconclusive:
| |
| − | | |
| − | <element>
| |
| − | Some content
| |
| − | </element
| |
| − | | |
| − | The XML parser should stop execution once detecting a fatal error. The document shouldn’t undergo any additional processing, and the application should display an error message.
| |
| − | The following are vulnerabilities related to malformed XML documents:
| |
Latest revision as of 14:32, 15 July 2019
The Cheat Sheet Series project has been moved to GitHub!
Please visit XML Security Cheat Sheet to see the latest version of the cheat sheet.
