What are the most important security issues associated with XML? Discuss with examples.
# There are number of important security issues associated with XML which are as follows:
- XSD, XPath and XSLT are string- based languages in which operation can be specified that use a lot of time or memory. It’s a application programmers duty to validate XSD, XPath or XSLT strings form the suspicious source for not being malicious or to inspect and mitigate the possibility that evaluating these strings will lead to excessive system resource consumption.
- XSD schemas are inherently vulnerable to denial of service attacks; so schemas should not be accepted from any untrusted sources.
- XSD and XSLT can contain references to other documents or files and those references can result in cross-zone and cross-domain attacks. By default we can access any locations that do not require credentials.
- Due to the external entities in DTDs it can result in cross-zone and cross-domain attacks.
- DTDs are vulnerable to denial of service attacks. For example, DTD may contain nested entities or complex content models that can take an inordinate amount of time to process.
- Some exceptionally deep documents can cause denial of service issue so need to limit the depth of XML documents.
- Due to scripts blocks in XSLT style sheets, it may expose a number of attacks.
- Again while constructing dynamic XPath expressions, it need to be validate carefully before doing it.
- XMLReaderSettings objects can include sensitive information such as user credentials and it can be used by an untrusted component and also the user credentials to create XMLReader objects to read data.
No comments:
Post a Comment