"Codenomicon has found a critical focus area which expands beyond web testing, where the XML industry has an opportunity to proactively assess
the security holes contained in everyday services used by the general public.
I would hope the industry warmly welcomes both the research results and
an innovative testing solution to help diagnose the problems."
Prof. Howard A. Schmidt
former White House Cyber
Security advisor & Codenomicon board member
DEFENSICS™ for XML
Introduction | Test Solution | XML Security Challenge | Screenshots
XML Security Challenge
XML is used everywhere from cloud computing and 3D images to instant messaging and online commerce. Remote communication facilities are implemented using XML-RPC or SOAP, which are both based on XML. Many standard protocols, such as XMPP, CWMP (TR-69) and UPnP use XML extensively. XML is used as a description language in various document formats like docx and OpenOffice. It is also found in diverse places like playlists, configuration files, SVG vector graphics, RSS feeds, semantic web formats and Electronic Program Guides (EPG). Since Web Services and XML over HTTP are the favored mechanisms used to integrate legacy systems and new systems in the service-oriented-architecture (SOA), potential XML vulnerabilities are finding their way to environments, which have traditionally been closed. As a result, there is no shortage of remote attack vectors potential malicious users can look for.
In early 2009 Codenomicon discovered vulnerabilities in widely used XML libraries. These flaws can be used to attack a myriad of systems in various business domains. Attackers might just know a few flaws, but if they are from the most widely used libraries, they can attack just about any system. XML is fairly complex so creating a flawless XML library is almost impossible. However, while XML parser vulnerabilities can result in serious DoS (Denial of Service) conditions and even in server exploitation through remote code execution, flaws in application logic and persistent databases are usually even more damaging. Flaws in business logic may lead to incorrect or partially performed transactions. For example, a banking application might perform the necessary functions to grant a credit but fail before writing down the debit due to a database failure caused by an attack. Such a situation could result from two possible scenarios: An attack aimed against a parser propagates to the application and causes random failures. Another, more targeted approach would be for attackers to acquire samples of XML-based interaction between the server and its clients and to craft targeted attacks which can pass through the parsing schema and target the application logic.
The reference architecture of a XML processing application. The potential risks include sustained DoS conditions or exploitation resulting from a failing parser or application and incorrect data propagation to the back-end database.
Examples of impacted business sectors are:
- Telecommunications
- IPTV
- Consumer electronics
- Banking
- Manufacturing
- Retail
- Health Care
- Government
- Electric/Gas/Water Network Companies
Follow us on:
