Reference : Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/21242
Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems
English
Jan, Sadeeq mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Nguyen, Duy Cu mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Briand, Lionel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > > ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
3-Aug-2015
The 2015 IEEE International Conference on Software Quality, Reliability & Security, Vancouver 3-5 August 2015
Yes
No
International
The 2015 IEEE International Conference on Software Quality, Reliability & Security
03-08-2015 to 05-08-2015
IEEE Reliability Society
Vancouver
Canada
[en] XML Vulnerabilities (BIL, XXE) ; XML Parsers ; Security Testing
[en] The Extensible Markup Language (XML) is extensively
used in software systems and services. Various XML-based
attacks, which may result in sensitive information leakage or
denial of services, have been discovered and published. However,
due to development time pressures and limited security expertise,
such attacks are often overlooked in practice. In this paper,
following a rigorous and extensive experimental process, we study
the presence of two types of XML-based attacks: BIL and XXE in
13 popular XML parsers. Furthermore, we investigate whether
open-source systems that adopt a vulnerable XML parser apply
any mitigation to prevent such attacks. Our objective is to provide
clear and solid scientific evidence about the extent of the threat
associated with such XML-based attacks and to discuss the
implications of the obtained results. Our conclusion is that most
of the studied parsers are vulnerable and so are systems that use
them. Such strong evidence can be used to raise awareness among
software developers and is a strong motivation for developers to
provide security measures to thwart BIL and XXE attacks before
deployment when adopting existing XML parsers.
University of Luxembourg: SnT
Fonds National de la Recherche - FnR
Researchers ; Professionals ; Students
http://hdl.handle.net/10993/21242

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Limited access
XMLvulnerabilities.pdfPublisher postprint1.06 MBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.