OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] Extra headaches of securing XML

[ Lists Home | Date Index | Thread Index ]

Agreed, there are [some] security concerns with XML 1.0 itself but these pale on consideration to poor security in applications that are built on XML as the interchange format. That said, platform vendors haven't done a great job in providing guidelines or mitigations for the few issues with XML that we know exist today. At work, we're trying to change this somewhat and provide some guidelines and mitigations for the more common issues with security in XML applications in upcoming months. 
 
However, the bigger is security issues in applications of XML which of course have little to do with XML itself but will smear it nonetheless.
 
-- 
PITHY WORDS OF WISDOM
Blessed are the meek for they shall inherit the Earth, minus 40% inheritance tax. 

________________________________

From: Rich Salz [mailto:rsalz@datapower.com]
Sent: Tue 3/30/2004 10:10 AM
To: Tim Bray
Cc: Bullard, Claude L (Len); 'Hunsberger, Peter'; xml-dev@lists.xml.org; Gerben Rampaart
Subject: Re: [xml-dev] Extra headaches of securing XML



> and I'd bet a zillion bucks that there are awful vulnerabilities lurking
> in the cracks where nobody could possibly have thought to look.  -Tim

There are some that are inherent in XML itself: entities for example,
and the fact that there are no size limits (element name with 1e6
characters, or 1e6 attributes, or a document 1e6 elements deep). This
makes XML inherently more "dangerous" than classic binary formats like
ASN.1/DER.

There are some dangerous corners when you mix and match various XML
technologies.  For example, just because the incoming message
schema-validates doesn't mean that (a) you have the right schema (does
your verifier just blindly trust xsi:schemaLocation attributes)?, or (b)
that it's really secure (does your schema limit xsd:string such that SQL
injection atttacks are prohibitied).

There are areas to be concerned when exposing (transactional)
back-office systems to the looser mix of XML and Web technologies,
causing trade-offs to perhaps be made in the "wrong" direction.  Len
alluded to this in his usual elliptical style. :)

Hope this helps.
        /r$

--
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


-----------------------------------------------------------------
The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
initiative of OASIS <http://www.oasis-open.org>

The list archives are at http://lists.xml.org/archives/xml-dev/

To subscribe or unsubscribe from this list use the subscription
manager: <http://www.oasis-open.org/mlmanage/index.php>







 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS