|
 |
Wednesday, March 08, 2006 |
Our new white paper, "Protecting XML Applications From Attack - Full Spectrum Protection for XML Web Services", is available from Vordel's website.
It contains a detailed taxonomy of XML-level attacks, including:
- XML Structural Attacks.
Attackers can create XML documents which are structured in such a way as to create a denial-of-service attack on the recipient system by tying up parsing resources.
- XML content-level [Semantic] attacks.
These attacks involve malicious content inside XML elements and attributes. This category of attack includes SQL Injection, buffer-overflow attempts, XPath injection, and command injection.
- DTD-based attacks.
DTD (Document Type Definition) descriptors are the precursors to XML Schema Definition (XSD) definitions and are potentially insecure for a number of reasons.
- HTTP GET parameters.
Many XML applications are invoked by passing them parameters using HTTP GET. These are sometimes known as “REST-style” Web Services and can be attacked by passing malicious content on the HTTP GET string.
- SOAP attachments.
SOAP message may contain attachments. Two rival specifications presently describe how SOAP messages can contain attachments: MIME and DIME. MTOM is the next method by which SOAP attachments will be sent. All can be used to transport malicious content.
- Brute force attacks.
These include bombarding a system with many XML messages, or sending extremely large messages.
After reading about the attacks in the White Paper, you can then (of course!) look at how Vordel's products protect against these attacks.
12:34:26 PM 
|
|
© Copyright 2007 Mark O'Neill.
|
|
 |
 |
 |
 |
| March 2006 |
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
31 |
|
| Feb Apr |
|
 |
 |
 |
 |
|
