OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Exploiting XML namespaces formatted as IRIs(Internationalized Resource Identifiers) to perpetrate an IDN homograph attack

I am not sure this can be fully prevented (it probably is no more preventable than exploits based on slight misspellings of common domain names like citibanks dot com)

However, my understanding is that ultimately namespaces are rarely used as links for humans, and so if a machine is reading the namespace iri, it can distinguish between the two. If you do want to use the namespace like a further info link, you may want to use a whitelist or blacklist technique or algorithm.

In the end, exposing arbitrary namespace iris to users requires the same degree of security as exposing iri links.

Of course, I am no expert (I would say I am a intermediate xml developer), so take my words with a grain of salt.

-John Thomas

On Dec 9, 2011 9:28 AM, "Costello, Roger L." <costello@mitre.org> wrote:
Hi Folks,

The namespaces in XML 1.1 can be any IRI (Internationalized Resource Identifier) [1]

Oftentimes namespaces are used in a dual role, as a label for an XML vocabulary and as an actual URL that one can dereference to get further information.

Namespaces formatted as IRIs opens up the possibility for a new type of attack: an IDN homograph attack [2].

The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive users about what remote system they are communicating with, by exploiting the fact that many different characters look alike, (i.e., they are homographs, hence the term for the attack). For example, consider an XML document with the namespace http://www.citibank.com

<Document xmlns=" http://www.citibank.com">

where the Latin C is replaced with the Cyrillic . A user of the XML document may dereference the namespace URL and end up at a web site that looks like Citibank but isn't. If the user were to enter their username and password then their information would go into the wrong hands.

How can this attack be prevented?


[1] http://www.w3.org/TR/xml-names11/#iri-use

[2] http://en.wikipedia.org/wiki/IDN_homograph_attack


XML-DEV is a publicly archived, unmoderated list hosted by OASIS
to support XML implementation and development. To minimize
spam in the archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
subscribe: xml-dev-subscribe@lists.xml.org
List archive: http://lists.xml.org/archives/xml-dev/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS