Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

XML Parsers can have an effect on XXE attacks so it is important to consider how to invoke the parsers in safe manner.

Reference: http://web-in-security.blogspot.de/2016/03/xml-parser-evaluation.html

Crimson

  • DoS attacks - Apply a DeclHandler
  • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
  • URL Invocation attacks - Apply an EntityResolver
  • Quirks: The features external-general-entities and external-parameter-entities cannot be set. (always true)

Piccolo

  • DoS attacks - Apply a DeclHandler
  • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
  • Quirks: The state of the feature_ external-parameter-entities_ is reported incorrectly.

Xerces SAX/DOM

  • DoS attacks - Apply a DeclHandler
  • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
  • Information: use the feature disallow-doctype-decl = false as a countermeasure for all attacks.

Oracle SAX/DOM

  • DoS attacks - Apply a DeclHandler
  • XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
  • Quirks: The features external-general-entities and external-parameter-entities are not supported.

Further reading:

Safe Coding Practices

http://www.safecode.org/publication/SAFECode_Dev_Practices0211.pdf

Threat Modeling

https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx

  • No labels