Stating the obvious on XML Attacks

It looks like everything old is new again with XML Attacks...

I came across this article in the Washington Post. They use the term "XML fuzzing" to describe really just 50% of the XML threat equation - something I have always called coercive parsing, which is the manipulation of the XML document structure.

This, however, is only half of the battle. XML threats can also be semantic meaning the attack is modifying the structure of the XML document to force a down-stream system to execute a particular function. This is the other element of XML threats that is left out of the discussion. Semantic threats cover areas where the XML document is executed in some way, such as SQL injection, embedded JavaScript, or other embedded languages like XPath.

All in all, it is a cat and mouse game where the most important feature is extensibility and the ability to deploy new yet unnamed threats in real-time using a generalized mechanism such as regular expressions. All of these features, protection from structural threats, semantics threats, and threat extensibility can be found in Intel's SOA Expressway.

Posted by Blake Dournaee on 8:20 AM

5 comments:

Anonymous said...

What a boring blog... What's your opinion on the whole Tiger Woods thing?

Anonymous said...

I agree - BORING. Would be interested in your opinion on Tiger Woods as well

Anonymous said...

At least give us your thoughts on Nietzsche's concept of the Übermensch

e signature said...

As you mentioned that XML threats can also be semantic meaning the attack is modifying the structure of the XML document to force a down-stream system to execute a particular function.That type of attack might require complete understanding of xml structure and its purpose to modify it to something else

tablet pc android said...

Pretty helpful material, thanks so much for the article.

Followers

About Me

My photo
I have been working in the XML/SOA and security space for about 10 years. I currently work at Intel Corporation in their software group. I wrote the first book on XML Security and am a co-author of SOA Demystified from Intel Press. My interests are an eclectic mix of computing, security, business, technology and philosophy