Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Whitepaper – XML Schema, DTD, and Entity Attacks: A Compendium of Known Techniques

19 mei 2014

door Jennifer Fernick

by Timothy D. Morgan and Omar Al Ibrahim

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. A core feature of XML is the ability to define and validate document structure using schemas and document type definitions (DTDs). When used incorrectly, certain aspects of these document definition and validation features can lead to security vulnerabilities in applications that use XML. This document attempts to provide an up to date reference on these attacks, enumerating all publicly known techniques applicable to the most popular XML parsers in use while exploring a few novel attacks as well.

This paper can be downloaded below.


Editor’s note: This work was originally published by VSR on May 19 2014 at https://www.vsecurity.com/download/publications/XMLDTDEntityAttacks.pdf. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com.

Jennifer Fernick

Jennifer Fernick

Jennifer Fernick is the Global Head of Research at NCC Group. She can be found on Twitter at @enjenneer.