Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems

Sadeeq Jan, Cu D. Nguyen, Lionel Briand

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

The Extensible Markup Language (XML) is extensively used in software systems and services. Various XML-based attacks, which may result in sensitive information leakage or denial of services, have been discovered and published. However, due to development time pressures and limited security expertise, such attacks are often overlooked in practice. In this paper, following a rigorous and extensive experimental process, we study the presence of two types of XML-based attacks: BIL and XXE in 13 popular XML parsers. Furthermore, we investigate whether open-source systems that adopt a vulnerable XML parser apply any mitigation to prevent such attacks. Our objective is to provide clear and solid scientific evidence about the extent of the threat associated with such XML-based attacks and to discuss the implications of the obtained results. Our conclusion is that most of the studied parsers are vulnerable and so are systems that use them. Such strong evidence can be used to raise awareness among software developers and is a strong motivation for developers to provide security measures to thwart BIL and XXE attacks before deployment when adopting existing XML parsers.

Original languageEnglish
Title of host publicationProceedings - 2015 IEEE International Conference on Software Quality, Reliability and Security, QRS 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages233-241
Number of pages9
ISBN (Electronic)9781467379892
DOIs
Publication statusPublished - 21 Sep 2015
Externally publishedYes
EventIEEE International Conference on Software Quality, Reliability and Security, QRS 2015 - Vancouver, Canada
Duration: 3 Aug 20155 Aug 2015

Publication series

NameProceedings - 2015 IEEE International Conference on Software Quality, Reliability and Security, QRS 2015

Conference

ConferenceIEEE International Conference on Software Quality, Reliability and Security, QRS 2015
Country/TerritoryCanada
CityVancouver
Period3/08/155/08/15

Keywords

  • Security Testing
  • XML Parsers
  • XML Vulnerabilities (BIL
  • XXE)

Fingerprint

Dive into the research topics of 'Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems'. Together they form a unique fingerprint.

Cite this