XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Exploiting XML namespaces formatted as IRIs (Internationalized Resource Identifiers) to perpetrate an IDN homograph attack

At 2011-12-09 16:24 +0000, Costello, Roger L. wrote:
>Hi Folks,
>
>The namespaces in XML 1.1 can be any IRI 
>(Internationalized Resource Identifier) [1]
>
>Oftentimes namespaces are used in a dual role, 
>as a label for an XML vocabulary and as an 
>actual URL that one can dereference to get further information.
>
>Namespaces formatted as IRIs opens up the 
>possibility for a new type of attack: an IDN homograph attack [2].
>
>The internationalized domain name (IDN) 
>homograph attack is a way a malicious party may 
>deceive users about what remote system they are 
>communicating with, by exploiting the fact that 
>many different characters look alike, (i.e., 
>they are homographs, hence the term for the 
>attack). For example, consider an XML document 
>with the namespace http://www.citibank.com
>
><Document xmlns=" http://www.citibank.com";>
>      ...
></Document>
>
>where the Latin C is replaced with the Cyrillic 
>. A user of the XML document may dereference 
>the namespace URL and end up at a web site that 
>looks like Citibank but isn't. If the user were 
>to enter their username and password then their 
>information would go into the wrong hands.
>
>How can this attack be prevented?

If they received a document with a bogus 
namespace IRI, none of their namespace-aware XML 
processing would be successful and they would 
know right away that there is a problem.

While I've seen an XHTML page (typically with 
RDDL attributes) at the URL of the namespace URI, 
I've not seen any site that would require 
credentials to get access to namespace-related 
information.  That would be another red flag to me that something is amiss.

I would not be very worried about the scenario you present.

. . . . . . . . . . Ken


--
Contact us for world-wide XML consulting and instructor-led training
Free 5-hour video lecture: XSLT/XPath 1.0 & 2.0 http://ude.my/t37DVX
Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/x/
G. Ken Holman                   mailto:gkholman@CraneSoftwrights.com
Google+ profile: https://plus.google.com/116832879756988317389/about
Legal business disclaimers:    http://www.CraneSoftwrights.com/legal



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS