This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "XML Security Cheat Sheet"

From OWASP
Jump to: navigation, search
(Created page with "== Introduction == Specifications for XML and XML schemas include multiple security flaws. At the same time, these specifications provide the tools required to protect XML ap...")
 
(Authors and Primary Editors)
Line 5: Line 5:
 
=Authors and Primary Editors=
 
=Authors and Primary Editors=
  
Fernando Arnaboldi [email protected]
+
[mailto:[email protected] Fernando Arnaboldi]
  
 
=  Malformed XML Documents =
 
=  Malformed XML Documents =

Revision as of 08:06, 11 December 2016

Introduction

Specifications for XML and XML schemas include multiple security flaws. At the same time, these specifications provide the tools required to protect XML applications. This provides a complex scenario for developers, and a fun environment for hackers. Even though we use XML schemas to define the security of XML documents, they can be used to perform a variety of attacks: file retrieval, server side request forgery, port scanning, or brute forcing. This talk will analyze how to infer new attack vectors by analyzing the current vulnerabilities, and how it is possible to affect common libraries and software. This cheatsheet will also provide recommendations for safe deployment of applications relying on XML.

Authors and Primary Editors

Fernando Arnaboldi

Malformed XML Documents

The W3C XML specification defines a set of principles that XML documents must follow to be considered well formed. When a document violates any of these principles, the data it contains is considered malformed. Multiple tactics will cause a malformed document: removing an ending tag, rearranging the order of elements into a nonsensical structure, introducing forbidden characters, and so on. Without thorough testing, applications can be susceptible to vulnerabilities when supplied with malformed documents. Developers may not consider all of the potential types of inputs when designing software, since this is something normally found during the testing phase of a product.

In this example of a simple malformed document, the final ending tag is inconclusive:

<element>
 Some content
</element

The XML parser should stop execution once detecting a fatal error. The document shouldn’t undergo any additional processing, and the application should display an error message. The following are vulnerabilities related to malformed XML documents: