Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Namespace prefixes are a security risk
 Any protocol that has any redundancy in it has the capability to carry steganographic information. Using namespace prefixes for this is pretty naive: if you want to evade detection, why not encode the secret information into the whitespace between attributes? Regards, Michael Kay http://www.saxonica.com/ http://twitter.com/michaelhkay > -----Original Message----- > From: Costello, Roger L. [mailto:costello@mitre.org] > Sent: 28 December 2009 16:15 > To: 'xml-dev@lists.xml.org' > Subject: Namespace prefixes are a security risk > > > Hi Folks, > > > INTRODUCTION > > The problem described below occurs with XML 'guards' that are > trying to prevent the release of unauthorized information at > an enclave boundary. Namespace prefixes provide a ready > channel for transmitting information out of the protected > enclave. That channel is overlooked by most XML > applications, expect for an application that is specifically > looking for that information. > > > THE PROBLEM > > Consider this XML document containing data about a book: > > <book xmlns="http://www.book.org"> > <title>The Origin of Wealth</title> > <author>Eric D. Beinhocker</author> > <date>2006</date> > <ISBN>1-57851-777-X</ISBN> > <publisher>Harvard Business School Press</publisher> > <cost currency="USD">29.95</cost> > </book> > > Seems pretty innocuous, right? > > It uses a default namespace declaration. Alternatively > (equivalently) each element can be qualified. And the prefix > can be anything, e.g., > > <attackNOW:book xmlns:attackNOW="http://www.book.org"> > <attackNOW:title>The Origin of Wealth</attackNOW:title> > <attackNOW:author>Eric D. Beinhocker</attackNOW:author> > <attackNOW:date>2006</attackNOW:date> > <attackNOW:ISBN>1-57851-777-X</attackNOW:ISBN> > <attackNOW:publisher>Harvard Business School > Press</attackNOW:publisher> > <attackNOW:cost currency="USD">29.95</cost> > </attackNOW:book> > > Not so innocent-looking anymore, is it? > > But the problem isn't in how it "looks." The problem is that, > as far as XML tools are concerned, the two forms are exactly > equivalent: > > - If the first form is schema-valid, > then the second form is schema-valid. > > - If the first form can be parsed by an > XML parser, then the second form can > be parsed by an XML parser. > > - If the first form can be processed by > an XSLT transform, then the second form > can be processed by an XML transform. > > So, a guard, processing XML documents, using XML tools, may > be completely oblivious to the covert information being > passed via the namespace prefix. You may even say that the > prefix is "invisible" to the guard. > > > REPLACE NAMESPACE PREFIXES > > The good news is that, whatever prefixes the XML document > contains, they can be replaced with controlled prefixes. Here > is an XSLT transform that replaces the namespace prefix with > N103: (Thanks to Ken Holman for this XSLT) > > <?xml version="1.0" encoding="US-ASCII"?> <xsl:stylesheet > xmlns:xsl="http://www.w3.org/1999/XSL/Transform" > version="1.0"> > > <xsl:param name="use-this-prefix"/> > > <xsl:template match="*[namespace-uri(.)]"> > <xsl:element name="{$use-this-prefix}{local-name()}" > namespace="{namespace-uri(.)}"> > <xsl:apply-templates select="@*|node()"/> > </xsl:element> > </xsl:template> > > <xsl:template match="@*[namespace-uri(.)]"> > <xsl:attribute name="{$use-this-prefix}{local-name()}" > namespace="{namespace-uri(.)}"> > <xsl:value-of select="."/> > </xsl:attribute> > </xsl:template> > > <xsl:template match="@*|node()"><!--identity for all > other nodes--> > <xsl:copy> > <xsl:apply-templates select="@*|node()"/> > </xsl:copy> > </xsl:template> > > </xsl:stylesheet> > > > COMMENTS > > I welcome your comments. > > /Roger > ______________________________________________________________ > _________ > > XML-DEV is a publicly archived, unmoderated list hosted by > OASIS to support XML implementation and development. To > minimize spam in the archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Or unsubscribe: xml-dev-unsubscribe@lists.xml.org > subscribe: xml-dev-subscribe@lists.xml.org List archive: > http://lists.xml.org/archives/xml-dev/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > 
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
