Cart
[Home] [By Thread] [By Date] [Recent Entries]
> and I'd bet a zillion bucks that there are awful vulnerabilities lurking > in the cracks where nobody could possibly have thought to look. -Tim There are some that are inherent in XML itself: entities for example, and the fact that there are no size limits (element name with 1e6 characters, or 1e6 attributes, or a document 1e6 elements deep). This makes XML inherently more "dangerous" than classic binary formats like ASN.1/DER. There are some dangerous corners when you mix and match various XML technologies. For example, just because the incoming message schema-validates doesn't mean that (a) you have the right schema (does your verifier just blindly trust xsi:schemaLocation attributes)?, or (b) that it's really secure (does your schema limit xsd:string such that SQL injection atttacks are prohibitied). There are areas to be concerned when exposing (transactional) back-office systems to the looser mix of XML and Web technologies, causing trade-offs to perhaps be made in the "wrong" direction. Len alluded to this in his usual elliptical style. :) Hope this helps. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
