Re: Namespace prefixes are a security risk
You don't even need namespaces for this 'hidden message'. Just put the original order in a file attacknow.xml or host it at http://www.attacknow.com/ Or send it in an email with a subject like "Attach Now". in fact you dont need the XML at all for any of this. An empty or non-existant file will do. David A. Lee firstname.lastname@example.org http://www.calldei.com http://www.xmlsh.org 812-482-5224 G. Ken Holman wrote: > At 2009-12-28 11:14 -0500, Costello, Roger L. wrote: >> The problem described below occurs with XML 'guards' that are trying >> to prevent the release of unauthorized information at an enclave >> boundary. > > Surely, Roger, you've been dipping into the New Year's grog a bit > early here, haven't you? > >> Namespace prefixes provide a ready channel for transmitting >> information out of the protected enclave. That channel is overlooked >> by most XML applications, expect for an application that is >> specifically looking for that information. >> ... >> <attackNOW:book xmlns:attackNOW="http://www.book.org"> >> <attackNOW:title>The Origin of Wealth</attackNOW:title> >> ... >> Not so innocent-looking anymore, is it? > > No, it looks ludicrous! > > I'm guessing you are pulling our collective legs here for some holiday > fun. This is reminiscent of worries of rock music carrying hidden > transmissions programming the teenagers to rebel against their parents. > > Have a happy new year! > > . . . . . . . . . . . Ken > > > -- > UBL and Code List training: Copenhagen, Denmark 2010-02-08/10 > XSLT/XQuery/XPath training after http://XMLPrague.cz 2010-03-15/19 > XSLT/XQuery/XPath training: San Carlos, California 2010-04-26/30 > Vote for your XML training: http://www.CraneSoftwrights.com/x/i/ > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/x/ > Training tools: Comprehensive interactive XSLT/XPath 1.0/2.0 video > Video lesson: http://www.youtube.com/watch?v=PrNjJCh7Ppg&fmt=18 > Video overview: http://www.youtube.com/watch?v=VTiodiij6gE&fmt=18 > G. Ken Holman mailto:gkholman@CraneSoftwrights.com > Male Cancer Awareness Nov'07 http://www.CraneSoftwrights.com/x/bc > Legal business disclaimers: http://www.CraneSoftwrights.com/legal > > > _______________________________________________________________________ > > XML-DEV is a publicly archived, unmoderated list hosted by OASIS > to support XML implementation and development. To minimize > spam in the archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Or unsubscribe: email@example.com > subscribe: firstname.lastname@example.org > List archive: http://lists.xml.org/archives/xml-dev/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format