This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

XML Security Cheat Sheet

Revision as of 08:06, 11 December 2016 by Jmanico (talk | contribs) (Authors and Primary Editors)

Jump to: navigation, search


Specifications for XML and XML schemas include multiple security flaws. At the same time, these specifications provide the tools required to protect XML applications. This provides a complex scenario for developers, and a fun environment for hackers. Even though we use XML schemas to define the security of XML documents, they can be used to perform a variety of attacks: file retrieval, server side request forgery, port scanning, or brute forcing. This talk will analyze how to infer new attack vectors by analyzing the current vulnerabilities, and how it is possible to affect common libraries and software. This cheatsheet will also provide recommendations for safe deployment of applications relying on XML.

Authors and Primary Editors

Fernando Arnaboldi

Malformed XML Documents

The W3C XML specification defines a set of principles that XML documents must follow to be considered well formed. When a document violates any of these principles, the data it contains is considered malformed. Multiple tactics will cause a malformed document: removing an ending tag, rearranging the order of elements into a nonsensical structure, introducing forbidden characters, and so on. Without thorough testing, applications can be susceptible to vulnerabilities when supplied with malformed documents. Developers may not consider all of the potential types of inputs when designing software, since this is something normally found during the testing phase of a product.

In this example of a simple malformed document, the final ending tag is inconclusive:

 Some content

The XML parser should stop execution once detecting a fatal error. The document shouldn’t undergo any additional processing, and the application should display an error message. The following are vulnerabilities related to malformed XML documents: