Stating the obvious on XML Attacks

It looks like everything old is new again with XML Attacks...

I came across this article in the Washington Post. They use the term "XML fuzzing" to describe really just 50% of the XML threat equation - something I have always called coercive parsing, which is the manipulation of the XML document structure.

This, however, is only half of the battle. XML threats can also be semantic meaning the attack is modifying the structure of the XML document to force a down-stream system to execute a particular function. This is the other element of XML threats that is left out of the discussion. Semantic threats cover areas where the XML document is executed in some way, such as SQL injection, embedded JavaScript, or other embedded languages like XPath.

All in all, it is a cat and mouse game where the most important feature is extensibility and the ability to deploy new yet unnamed threats in real-time using a generalized mechanism such as regular expressions. All of these features, protection from structural threats, semantics threats, and threat extensibility can be found in Intel's SOA Expressway.

Posted by Blake Dournaee on 8:20 AM


Anonymous said...

What a boring blog... What's your opinion on the whole Tiger Woods thing?

Anonymous said...

I agree - BORING. Would be interested in your opinion on Tiger Woods as well

Anonymous said...

At least give us your thoughts on Nietzsche's concept of the √úbermensch

e signature said...

As you mentioned that XML threats can also be semantic meaning the attack is modifying the structure of the XML document to force a down-stream system to execute a particular function.That type of attack might require complete understanding of xml structure and its purpose to modify it to something else

2012 prom dresses said...

Different prom gowns fit differently. prom dresses 2012,Before selecting a dress you need to know what body shape you have and what style of dress suits you. Generally speaking,2012 prom dresses there are four basic body shapes:cheap prom dresses 2012

tablet pc android said...

Pretty helpful material, thanks so much for the article.

Nitesh Kumar said...

I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor led live training in IBM Datapower, kindly contact us
MaxMunus Offer World Class Virtual Instructor led training on IBM Datapower. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Demo Contact us.
Nitesh Kumar
Skype id: nitesh_maxmunus
Ph:(+91) 8553912023


About Me

My photo
I have been working in the XML/SOA and security space for about 10 years. I currently work at Intel Corporation in their software group. I wrote the first book on XML Security and am a co-author of SOA Demystified from Intel Press. My interests are an eclectic mix of computing, security, business, technology and philosophy