XML Security Cheat Sheet

Introduction
Specifications for XML and XML schemas include multiple security flaws. At the same time, these specifications provide the tools required to protect XML applications. This provides a complex scenario for developers, and a fun environment for hackers. Even though we use XML schemas to define the security of XML documents, they can be used to perform a variety of attacks: file retrieval, server side request forgery, port scanning, or brute forcing. This talk will analyze how to infer new attack vectors by analyzing the current vulnerabilities, and how it is possible to affect common libraries and software. This cheatsheet will also provide recommendations for safe deployment of applications relying on XML.

=Authors and Primary Editors=

Fernando Arnaboldi fernando.arnaboldi@ioactive.com

= Malformed XML Documents =

The W3C XML specification defines a set of principles that XML documents must follow to be considered well formed. When a document violates any of these principles, the data it contains is considered malformed. Multiple tactics will cause a malformed document: removing an ending tag, rearranging the order of elements into a nonsensical structure, introducing forbidden characters, and so on. Without thorough testing, applications can be susceptible to vulnerabilities when supplied with malformed documents. Developers may not consider all of the potential types of inputs when designing software, since this is something normally found during the testing phase of a product.

In this example of a simple malformed document, the final ending tag is inconclusive:

Some content </element

The XML parser should stop execution once detecting a fatal error. The document shouldn’t undergo any additional processing, and the application should display an error message. The following are vulnerabilities related to malformed XML documents: