"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code

We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.

If you're serious about implementing protocols correctly, you need the Codenomicon tools."

-- Jeremy Allison,
   Co Creator of Samba

"Codenomicon has found a critical focus area which expands beyond web testing, where the XML industry has an opportunity to proactively assess the security holes contained in everyday services used by the general public. I would hope the industry warmly welcomes both the research results and an innovative testing solution to help diagnose the problems."

Prof. Howard A. Schmidt
former White House Cyber Security advisor & Codenomicon board member

DEFENSICS™ for XML   pdf

Introduction | Test Solution | XML Security Challenge | Screenshots

During the past years, XML adoption has spread rapidly reaching almost every area of business and society. XML is not a protocol in itself, but a versatile method for describing structures. It can be used for almost any purpose, hence its popularity in modern protocols, file formats and applications; there is hardly an industry where XML is not used. Here also lie the biggest security risks: versatile technologies tend to create complexity, which is a breeding ground for security vulnerabilities, in addition, the fast adoption and the diversity of use cases have overwhelmed traditional security testing and few or no security testing solutions for XML have been available to customers, until now.

Codenomicon Introduces XML Fuzzing

Early 2009 Codenomicon took the first steps in intelligent XML fuzz testing by introducing tests for the CWMP (TR-69) protocol. The product selection quickly expanded to include a general purpose XML security testing solution, which spans both standard and custom XML based protocols. The extent and magnitude of the vulnerabilities we discovered during the development of XML fuzzing reminded us of our earlier experience with ASN.1 vulnerabilities (2001-2002 PROTOS SNMP). Testing a multi-purpose technology like XML for security is challenging, but at Codenomicon we have a long background in fuzz testing.


DEFENSICS for XML is a pioneering security testing solution which addresses different aspects of XML usage: Standard XML based protocols, file formats, XML-RPC -and SOAP based application communications and security XML parsers. The model-based, stateful fuzzing technology utilized by DEFENSICS takes XML security testing to a brand new level by combining model-based stateful fuzzing with powerful editing capabilities to create an unrivalled product.

The model-based approach guarantees the intelligence of the tests. The structure of the tested XML document or message is analyzed to desgn tests which can target the most vulnerable parts of the parsers or the application processing functions. The model-based approach also allows for covering XML elements which are rarely used. Malicious input in these rarely used elements tend to cause havoc in systems, because, often, they are not subjected to rigorous testing or heavy day-to-day usage. This is one issue a fuzzer based purely on traffic samples cannot address.

The stateful nature of all the DEFENSICS test tools adds to a high degree of confidence in input space coverage. Since the tools genuinely interoperate with the system under test (SUT), testers can be assured that the input is actually being processed. This is a basic requirement of meaningful security tests. Furthermore, stateful testing means that long message sequences are supported. In other words, all the DEFENSICS test tools are able to adjust their behavior based on SUT responses, thus providing thorough input space coverage.

Contact us for more information

Learn more about how DEFENSICS can reduce your risk of zero-day attacks
Sign up for our newsletter