Over a million developers have joined DZone.

XML Flaws Create DoS Threats: Codenomicon

DZone's Guide to

XML Flaws Create DoS Threats: Codenomicon

· Web Dev Zone ·
Free Resource

Jumpstart your Angular applications with Indigo.Design, a unified platform for visual design, UX prototyping, code generation, and app development.

Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation and Python Software Foundation could result in successful denial-of-service attacks on applications built with them, according to Codenomicon; security vendor that makes a protocol-analysis fuzzing tool, Defensics, and earlier this year added a way to test for vulnerabilities in XML code.

"There are probably millions of these applications," says Dave Chartier, CEO of Codenomicon

Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available soon. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI), which has worked closely with Codenomicon.

Fuzzing tools test for vulnerabilities in code by hitting it with both valid requests and anomalies to see how it responds. Codenomicon found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and even delivery of a malicious payload using XML-based content.

The vulnerabilities could be exploited by enticing a user to open a specifically-crafted XML file, or by submitting malicious requests to Web services that handle XML content, according to Codenomicon. Chartier says it should be anticipated that attackers will explore XML-related attacks, and he advises organizations to follow the suggested recommendations, such as patching.

XML is widely used in .NET, SOAP, VoIP, Web services and industrial automation applications, the firm points out.

"XML implementations are ubiquitous -- they are found in systems and services where one would not expect to find them," Erka Koivunen, head of CERT-FI

Codenomicon expects to discuss the various XML vulnerabilities in depth at the Miami-based conference Hacker Halted 2009 in September.

Take a look at an Indigo.Design sample application to learn more about how apps are created with design to code software.


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}