Over a million developers have joined DZone.

XML Flaws Create DoS Threats: Codenomicon

· Web Dev Zone

Start coding today to experience the powerful engine that drives data application’s development, brought to you in partnership with Qlik.

Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation and Python Software Foundation could result in successful denial-of-service attacks on applications built with them, according to Codenomicon; security vendor that makes a protocol-analysis fuzzing tool, Defensics, and earlier this year added a way to test for vulnerabilities in XML code.

"There are probably millions of these applications," says Dave Chartier, CEO of Codenomicon

Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available soon. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI), which has worked closely with Codenomicon.

Fuzzing tools test for vulnerabilities in code by hitting it with both valid requests and anomalies to see how it responds. Codenomicon found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and even delivery of a malicious payload using XML-based content.

The vulnerabilities could be exploited by enticing a user to open a specifically-crafted XML file, or by submitting malicious requests to Web services that handle XML content, according to Codenomicon. Chartier says it should be anticipated that attackers will explore XML-related attacks, and he advises organizations to follow the suggested recommendations, such as patching.

XML is widely used in .NET, SOAP, VoIP, Web services and industrial automation applications, the firm points out.

"XML implementations are ubiquitous -- they are found in systems and services where one would not expect to find them," Erka Koivunen, head of CERT-FI

Codenomicon expects to discuss the various XML vulnerabilities in depth at the Miami-based conference Hacker Halted 2009 in September.

Create data driven applications in Qlik’s free and easy to use coding environment, brought to you in partnership with Qlik.


The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}