[
Lists Home |
Date Index |
Thread Index
]
> and I'd bet a zillion bucks that there are awful vulnerabilities lurking
> in the cracks where nobody could possibly have thought to look. -Tim
There are some that are inherent in XML itself: entities for example,
and the fact that there are no size limits (element name with 1e6
characters, or 1e6 attributes, or a document 1e6 elements deep). This
makes XML inherently more "dangerous" than classic binary formats like
ASN.1/DER.
There are some dangerous corners when you mix and match various XML
technologies. For example, just because the incoming message
schema-validates doesn't mean that (a) you have the right schema (does
your verifier just blindly trust xsi:schemaLocation attributes)?, or (b)
that it's really secure (does your schema limit xsd:string such that SQL
injection atttacks are prohibitied).
There are areas to be concerned when exposing (transactional)
back-office systems to the looser mix of XML and Web technologies,
causing trade-offs to perhaps be made in the "wrong" direction. Len
alluded to this in his usual elliptical style. :)
Hope this helps.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
