Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems

JAN, Sadeeq; NGUYEN, Duy Cu; BRIAND, Lionel

Communication publiée dans un ouvrage (Colloques, congrès, conférences scientifiques et actes)

JAN, Sadeeq; NGUYEN, Duy Cu; BRIAND, Lionel

2015 • In The 2015 IEEE International Conference on Software Quality, Reliability & Security, Vancouver 3-5 August 2015

Peer reviewed

Permalien
https://hdl.handle.net/10993/21242

Documents (1)Envoyer vers Détails Statistiques Bibliographie Publications similaires

Documents

Texte intégral

XMLvulnerabilities.pdf

Postprint Éditeur (1.09 MB)

Demander un accès

Tous les documents dans ORBilu sont protégés par une licence d'utilisation.

Envoyer vers

RIS BibTex APA Chicago Permalink X Linkedin

Détails

Mots-clés :

XML Vulnerabilities (BIL, XXE); XML Parsers; Security Testing

Résumé :

[en] The Extensible Markup Language (XML) is extensively used in software systems and services. Various XML-based attacks, which may result in sensitive information leakage or denial of services, have been discovered and published. However, due to development time pressures and limited security expertise, such attacks are often overlooked in practice. In this paper, following a rigorous and extensive experimental process, we study the presence of two types of XML-based attacks: BIL and XXE in 13 popular XML parsers. Furthermore, we investigate whether open-source systems that adopt a vulnerable XML parser apply any mitigation to prevent such attacks. Our objective is to provide clear and solid scientific evidence about the extent of the threat associated with such XML-based attacks and to discuss the implications of the obtained results. Our conclusion is that most of the studied parsers are vulnerable and so are systems that use them. Such strong evidence can be used to raise awareness among software developers and is a strong motivation for developers to provide security measures to thwart BIL and XXE attacks before deployment when adopting existing XML parsers.

Centre de recherche :

University of Luxembourg: SnT

Disciplines :

Sciences informatiques

Auteur, co-auteur :

JAN, Sadeeq ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

NGUYEN, Duy Cu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

Co-auteurs externes :

Langue du document :

Anglais

Titre :

Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems

Date de publication/diffusion :

03 août 2015

Nom de la manifestation :

The 2015 IEEE International Conference on Software Quality, Reliability & Security

Organisateur de la manifestation :

IEEE Reliability Society

Lieu de la manifestation :

Vancouver, Canada

Date de la manifestation :

03-08-2015 to 05-08-2015

Manifestation à portée :

International

Titre de l'ouvrage principal :

The 2015 IEEE International Conference on Software Quality, Reliability & Security, Vancouver 3-5 August 2015

Peer reviewed :

Peer reviewed

Intitulé du projet de recherche :

Automated Security Testing for XML Vulnerabilities

Organisme subsidiant :

FNR - Fonds National de la Recherche

Disponible sur ORBilu :

depuis le 05 juin 2015

Statistiques

Nombre de vues

332 (dont 27 Unilu)

Nombre de téléchargements

8 (dont 7 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

Bibliographie

Imperva Web Application Attack Report. http://www.imperva.com/docs/HII Web Application Attack Report Ed4.pdf. Accessed: 2014-07-05.
W3C XML Standard. http://www.w3.org/TR/REC-xml/. Accessed: 2014-07-01.
XML External Entity Injection. http://securityhorror.blogspot.com/2012/03/what-is-xxe-attacks.html. Accessed: 2014-06-27.
XML Terminology. http://en.wikipedia.org/wiki/XML/. Accessed: 2014-02-20.
XML Vulnerabilities Introduction. http://resources.infosecinstitute.com/xml-vulnerabilities/. Accessed: 2014-06-22.
N. Antunes and M. Vieira. Comparing the effectiveness of penetration testing and static code analysis on the detection of sql injection vulnerabilities in web services. In Dependable Computing, 2009. PRDC '09. 15th IEEE Pacific Rim International Symposium on, pages 301-306, Nov 2009.
E. Bertino, L. Martino, F. Paci, and A. Squicciarini. Security for Web Services and Service Oriented Architectures. Springer, 2010.
M. R. Brenner and M. R. Unmehopa. Service-oriented architecture and web services penetration in next-generation networks. Bell Labs Technical Journal, 12 (2):147-159, 2007.
R. Chang, G. Jiang, F. Ivancic, S. Sankaranarayanan, and V. Shmatikov. Inputs of coma: Static detection of denial-of-service vulnerabilities. In Computer Security Foundations Symposium, 2009. CSF '09. 22nd IEEE, pages 186-199, July 2009.
J. Chen, Q. Li, C. Mao, D. Towey, Y. Zhan, and H.Wang. A web services vulnerability testing approach based on combinatorial mutation and soap message mutation. Service Oriented Computing and Applications, 8:1-13, 2014.
W. Chunlei, L. Li, and L. Qiang. Automatic fuzz testing of web service vulnerability. In Information and Communications Technologies (ICT 2014), 2014 International Conference on, pages 1-6, May 2014.
Y. Demchenko, L. Gommans, C. de Laat, and B. Oudenaarde. Web services and grid security vulnerabilities and threats analysis and model. In The 6th IEEE/ACM International Workshop on Grid Computing. IEEE, 2005.
A. Falkenberg, C. Mainka, J. Somorovsky, and J. Schwenk. A new approach towards dos penetration testing on web services. In Web Services (ICWS), 2013 IEEE 20th International Conference on, pages 491-498, June 2013.
A. N. Gupta and D. P. S. Thilagam. Attacks on web services need to secure xml on web. Computer Science and Engineering, An International Journal (CSEIJ), 3 (5), 2013.
M. Jensen, N. Gruschka, and R. Herkenhner. A survey of attacks on web services. Computer Science-Research and Development, 24 (4):185-197, 2009.
C. Mainka, J. Somorovsky, and J. Schwenk. Penetration testing tool for web services security. In Services (SERVICES), 2012 IEEE Eighth World Congress on, pages 163-170, June 2012.
R. Oliveira, N. Laranjeiro, and M. Vieira. Wsfaggressor: An extensible web service framework attacking tool. In Proceedings of the Industrial Track of the 13th ACM/IFIP/USENIX International Middleware Conference, MIDDLEWARE '12, pages 2:1-2:6. ACM, 2012.
S. Orrin. The soa/xml threat model and new xml/so/web 2.0 attacks and threats. In DEFCON 15, 2007.
S. Padmanabhuni, V. Singh, K. Senthil Kumar, and A. Chatterjee. Preventing service oriented denial of service (presodos): A proposed approach. In Web Services, 2006. ICWS '06. International Conference on, pages 577-584, Sept 2006.
V. Patel, R. Mohandas, and A. R. Pais. Attacks on web services and mitigation schemes. In Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on, pages 1-6, July 2010.
S. Suriadi, A. Clark, and D. Schmidt. Validating denial of service vulnerabilities in web services. In Network and System Security (NSS), 2010 4th International Conference on, pages 175-182, Sept 2010.
S. Tiwari and P. Singh. Survey of potential attacks on web services and web service compositions. In Electronics Computer Technology (ICECT), 2011 3rd International Conference on, volume 2, pages 47-51, April 2011.
S. Varrette, P. Bouvry, H. Cartiaux, and F. Georgatos. Management of an academic hpc cluster: The ul experience. In Proc. of the 2014 Intl. Conf. on High Performance Computing & Simulation (HPCS 2014), Bologna, Italy, July 2014. IEEE.
X. Ye. Countering ddos and xdos attacks against web services. In Embedded and Ubiquitous Computing, 2008. EUC '08. IEEE/IFIP International Conference on, volume 1, pages 346-352, Dec 2008.