Security analysis of XML, XML usage and XML parsing

Web-based applications greatly increase the availability of information and the ability of people to access and share information in a collaborative environment. Organisations can only truly make use of this technology to create a competitive advantage if they can trust the technology to distribute and mediate information in a safe and secure manner. The Web was not designed with security in mind and the use of XML as a vehicle for marking up information and mediating information flows does not directly support the imposition Of a security architecture to manage the security of collaborative information sharing and dissemination. The adoption of XML as the vehicle for electronic commerce has created an environment where XML is now a core technology to most organisations, yet most organisations are relying on off-the-shelf solutions to parsing and manipulating it. In his paper we will examine how XML and XML parsers can be attacked and used to modify, and enter false or misleading, information relating to an electronic transaction. The attack scenarios will be divided into five categories: DTD, Document Corruption, single-node, multi-node and back-end systems. For each attack type we will explore how the attack is perpetrated and what, if any, countermeasures exist to mitigate the attacks.