OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Extra headaches of securing XML

[ Lists Home | Date Index | Thread Index ]

> and I'd bet a zillion bucks that there are awful vulnerabilities lurking 
> in the cracks where nobody could possibly have thought to look.  -Tim

There are some that are inherent in XML itself: entities for example, 
and the fact that there are no size limits (element name with 1e6 
characters, or 1e6 attributes, or a document 1e6 elements deep). This 
makes XML inherently more "dangerous" than classic binary formats like 

There are some dangerous corners when you mix and match various XML 
technologies.  For example, just because the incoming message 
schema-validates doesn't mean that (a) you have the right schema (does 
your verifier just blindly trust xsi:schemaLocation attributes)?, or (b) 
that it's really secure (does your schema limit xsd:string such that SQL 
injection atttacks are prohibitied).

There are areas to be concerned when exposing (transactional) 
back-office systems to the looser mix of XML and Web technologies, 
causing trade-offs to perhaps be made in the "wrong" direction.  Len 
alluded to this in his usual elliptical style. :)

Hope this helps.

Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS