Computers, Programming, Technology, Music, Literature

Devouring Security: XML – Attack surface and Defenses

leave a comment »







·         XML today

·         XML/XPath injection – Demo

·         Compiled XPath queries

·         DTD use and abuse

          document validations

          entity expansions

          denial of service – Demo

          arbitrary uri access (egress)


          file enumeration and theft – Demo

          CSRF on internal systems – Demo?

·         Framework defaults limits/restrictions

·         Mitigations

·         Lessons learned

·         Verifying your XML systems for potential threats




1.       All of them inclusive of sample code for exploits and prevention. Language(C#, Java, php)/Platform(Windows/Linux) agnostic wherever possible.

2.       It is imperative at this juncture, that you are aware of most attack scenarios against XML, because the framework defaults may not protect you, hence you may be vulnerable, you might have not found it yet.

3.       The session is a bit biased towards DTD abuse in XML systems, as the Injection concepts and remediation remain common in XML when compared to Sql injection.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: