Stating the obvious on XML Attacks
It looks like everything old is new again with XML Attacks...
I came across this article in the Washington Post. They use the term "XML fuzzing" to describe really just 50% of the XML threat equation - something I have always called coercive parsing, which is the manipulation of the XML document structure.
This, however, is only half of the battle. XML threats can also be semantic meaning the attack is modifying the structure of the XML document to force a down-stream system to execute a particular function. This is the other element of XML threats that is left out of the discussion. Semantic threats cover areas where the XML document is executed in some way, such as SQL injection, embedded JavaScript, or other embedded languages like XPath.
All in all, it is a cat and mouse game where the most important feature is extensibility and the ability to deploy new yet unnamed threats in real-time using a generalized mechanism such as regular expressions. All of these features, protection from structural threats, semantics threats, and threat extensibility can be found in Intel's SOA Expressway.
Posted by Blake Dournaee
on 8:20 AM
5 comments:
What a boring blog... What's your opinion on the whole Tiger Woods thing?
I agree - BORING. Would be interested in your opinion on Tiger Woods as well
At least give us your thoughts on Nietzsche's concept of the Übermensch
As you mentioned that XML threats can also be semantic meaning the attack is modifying the structure of the XML document to force a down-stream system to execute a particular function.That type of attack might require complete understanding of xml structure and its purpose to modify it to something else
Pretty helpful material, thanks so much for the article.
Post a Comment