XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
RE: [xml-dev] XML processor attacks
Hello,

I am aware of some XXE attacks (tricking the XML processor to access files which should be unauthorized for access, e.g., password files). I think that attacks that are "hidden" in file inclusions or are being referred to from an XML document, also fall into this category.

There is also the famos XML bomb, a recursive definition of attributes designed to cause an XML processor to consume too much memory.

What do you mean by "attribute/name resolution attacks"?

Shlomo

-----Original Message-----
From: derek denny-brown [mailto:zuligag@gmail.com] 
Sent: ד 31 ינואר 2007 01:20
To: Shlomo Yona
Cc: xml-dev@lists.xml.org
Subject: Re: [xml-dev] XML processor attacks

I have never seen a comprehensive list.  I know that when I was at MS
and worked on making the parsers robust against DoS attacks, we found
attacks that we had not seen published.  The only really bad attacks
are related to entity expansion, as I remember.  A lot of people are
all paranoid about attribute/name resolution attacks that turn out to
be comparatively trivial.

On 1/30/07, Shlomo Yona <S.Yona@f5.com> wrote:
> Hello,
>
> I've been googling a lot and was unable to find a summary of XML
> processor attacks.
>
> What I'm looking for is some kind of a list of XML parser/processor
> attacks, which should be considered when implementing XML standard for
> creating such processors.
>
> Is there such a list?
>
> If not, can this be a legitimate discussion on this list?
>
> Thanks.
>
> Shlomo.
>
> _______________________________________________________________________
>
> XML-DEV is a publicly archived, unmoderated list hosted by OASIS
> to support XML implementation and development. To minimize
> spam in the archives, you must subscribe before posting.
>
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
> subscribe: xml-dev-subscribe@lists.xml.org
> List archive: http://lists.xml.org/archives/xml-dev/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS