[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Exploiting XML namespaces formatted as IRIs(Internationali

  • From: Rand McRanderson <therandshow@gmail.com>
  • To: "Costello, Roger L." <costello@mitre.org>
  • Date: Fri, 9 Dec 2011 11:19:51 -0700

Re:  Exploiting XML namespaces formatted as IRIs(Internationali

I am not sure this can be fully prevented (it probably is no more preventable than exploits based on slight misspellings of common domain names like citibanks dot com)

However, my understanding is that ultimately namespaces are rarely used as links for humans, and so if a machine is reading the namespace iri, it can distinguish between the two. If you do want to use the namespace like a further info link, you may want to use a whitelist or blacklist technique or algorithm.

In the end, exposing arbitrary namespace iris to users requires the same degree of security as exposing iri links.

Of course, I am no expert (I would say I am a intermediate xml developer), so take my words with a grain of salt.

-John Thomas

On Dec 9, 2011 9:28 AM, "Costello, Roger L." <costello@mitre.org> wrote:
Hi Folks,

The namespaces in XML 1.1 can be any IRI (Internationalized Resource Identifier) [1]

Oftentimes namespaces are used in a dual role, as a label for an XML vocabulary and as an actual URL that one can dereference to get further information.

Namespaces formatted as IRIs opens up the possibility for a new type of attack: an IDN homograph attack [2].

The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive users about what remote system they are communicating with, by exploiting the fact that many different characters look alike, (i.e., they are homographs, hence the term for the attack). For example, consider an XML document with the namespace http://www.citibank.com

<Document xmlns=" http://www.citibank.com">
š š ...
</Document>

where the Latin C is replaced with the Cyrillic ó. A user of the XML document may dereference the namespace URL and end up at a web site that looks like Citibank but isn't. If the user were to enter their username and password then their information would go into the wrong hands.

How can this attack be prevented?

/Roger


[1] http://www.w3.org/TR/xml-names11/#iri-use

[2] http://en.wikipedia.org/wiki/IDN_homograph_attack

_______________________________________________________________________

XML-DEV is a publicly archived, unmoderated list hosted by OASIS
to support XML implementation and development. To minimize
spam in the archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
subscribe: xml-dev-subscribe@lists.xml.org
List archive: http://lists.xml.org/archives/xml-dev/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.