Over a million developers have joined DZone.

XML Flaws Create DoS Threats: Codenomicon

DZone's Guide to

XML Flaws Create DoS Threats: Codenomicon

· Web Dev Zone
Free Resource

Discover how to focus on operators for Reactive Programming and how they are essential to react to data in your application.  Brought to you in partnership with Wakanda

Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation and Python Software Foundation could result in successful denial-of-service attacks on applications built with them, according to Codenomicon; security vendor that makes a protocol-analysis fuzzing tool, Defensics, and earlier this year added a way to test for vulnerabilities in XML code.

"There are probably millions of these applications," says Dave Chartier, CEO of Codenomicon

Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available soon. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI), which has worked closely with Codenomicon.

Fuzzing tools test for vulnerabilities in code by hitting it with both valid requests and anomalies to see how it responds. Codenomicon found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and even delivery of a malicious payload using XML-based content.

The vulnerabilities could be exploited by enticing a user to open a specifically-crafted XML file, or by submitting malicious requests to Web services that handle XML content, according to Codenomicon. Chartier says it should be anticipated that attackers will explore XML-related attacks, and he advises organizations to follow the suggested recommendations, such as patching.

XML is widely used in .NET, SOAP, VoIP, Web services and industrial automation applications, the firm points out.

"XML implementations are ubiquitous -- they are found in systems and services where one would not expect to find them," Erka Koivunen, head of CERT-FI

Codenomicon expects to discuss the various XML vulnerabilities in depth at the Miami-based conference Hacker Halted 2009 in September.

Learn how divergent branches can appear in your repository and how to better understand why they are called “branches".  Brought to you in partnership with Wakanda


Opinions expressed by DZone contributors are their own.


Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.


{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}