Paper Info
Title
Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems
Abstract
The Extensible Markup Language (XML) is extensively used in software systems and services. Various XML-based attacks, which may result in sensitive information leakage or denial of services, have been discovered and published. However, due to development time pressures and limited security expertise, such attacks are often overlooked in practice. In this paper, following a rigorous and extensive experimental process, we study the presence of two types of XML-based attacks: BIL and XXE in 13 popular XML parsers. Furthermore, we investigate whether open-source systems that adopt a vulnerable XML parser apply any mitigation to prevent such attacks. Our objective is to provide clear and solid scientific evidence about the extent of the threat associated with such XML-based attacks and to discuss the implications of the obtained results. Our conclusion is that most of the studied parsers are vulnerable and so are systems that use them. Such strong evidence can be used to raise awareness among software developers and is a strong motivation for developers to provide security measures to thwart BIL and XXE attacks before deployment when adopting existing XML parsers.
Year
DOI
Venue
2015
10.1109/QRS.2015.42
QRS
Keywords
Field
DocType
XML Vulnerabilities (BIL, XXE), XML Parsers, Security Testing
World Wide Web,Security testing,Software deployment,XML,Computer science,Software system,Software,Parsing,Web service,Information sensitivity
Conference
Citations 
PageRank 
References 
3
0.38
13
Authors
3
Name
Order
Citations
PageRank
Sadeeq Jan1121.89
Cu D. Nguyen230.38
Lionel C. Briand38795481.98