Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Extra headaches of securing XML
 Agreed, there are [some] security concerns with XML 1.0 itself but these pale on consideration to poor security in applications that are built on XML as the interchange format. That said, platform vendors haven't done a great job in providing guidelines or mitigations for the few issues with XML that we know exist today. At work, we're trying to change this somewhat and provide some guidelines and mitigations for the more common issues with security in XML applications in upcoming months. However, the bigger is security issues in applications of XML which of course have little to do with XML itself but will smear it nonetheless. -- PITHY WORDS OF WISDOM Blessed are the meek for they shall inherit the Earth, minus 40% inheritance tax. ________________________________ From: Rich Salz [mailto:rsalz@d...] Sent: Tue 3/30/2004 10:10 AM To: Tim Bray Cc: Bullard, Claude L (Len); 'Hunsberger, Peter'; xml-dev@l...; Gerben Rampaart Subject: Re: Extra headaches of securing XML > and I'd bet a zillion bucks that there are awful vulnerabilities lurking > in the cracks where nobody could possibly have thought to look. -Tim There are some that are inherent in XML itself: entities for example, and the fact that there are no size limits (element name with 1e6 characters, or 1e6 attributes, or a document 1e6 elements deep). This makes XML inherently more "dangerous" than classic binary formats like ASN.1/DER. There are some dangerous corners when you mix and match various XML technologies. For example, just because the incoming message schema-validates doesn't mean that (a) you have the right schema (does your verifier just blindly trust xsi:schemaLocation attributes)?, or (b) that it's really secure (does your schema limit xsd:string such that SQL injection atttacks are prohibitied). There are areas to be concerned when exposing (transactional) back-office systems to the looser mix of XML and Web technologies, causing trade-offs to perhaps be made in the "wrong" direction. Len alluded to this in his usual elliptical style. :) Hope this helps. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html ----------------------------------------------------------------- The xml-dev list is sponsored by XML.org <http://www.xml.org>, an initiative of OASIS <http://www.oasis-open.org> The list archives are at http://lists.xml.org/archives/xml-dev/ To subscribe or unsubscribe from this list use the subscription manager: <http://www.oasis-open.org/mlmanage/index.php> 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
