[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Exploiting XML namespaces formatted as IRIs (InternationalizedResource I
Hi Folks, The namespaces in XML 1.1 can be any IRI (Internationalized Resource Identifier) [1] Oftentimes namespaces are used in a dual role, as a label for an XML vocabulary and as an actual URL that one can dereference to get further information. Namespaces formatted as IRIs opens up the possibility for a new type of attack: an IDN homograph attack [2]. The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive users about what remote system they are communicating with, by exploiting the fact that many different characters look alike, (i.e., they are homographs, hence the term for the attack). For example, consider an XML document with the namespace http://www.citibank.com <Document xmlns=" http://www.citibank.com"> ... </Document> where the Latin C is replaced with the Cyrillic ó. A user of the XML document may dereference the namespace URL and end up at a web site that looks like Citibank but isn't. If the user were to enter their username and password then their information would go into the wrong hands. How can this attack be prevented? /Roger [1] http://www.w3.org/TR/xml-names11/#iri-use [2] http://en.wikipedia.org/wiki/IDN_homograph_attack
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|