Paper published in a book (Scientific congresses, symposiums and conference proceedings)
Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems
Jan, Sadeeq; Nguyen, Duy Cu; Briand, Lionel
2015In The 2015 IEEE International Conference on Software Quality, Reliability & Security, Vancouver 3-5 August 2015
Peer reviewed
 

Files


Full Text
XMLvulnerabilities.pdf
Publisher postprint (1.09 MB)
Request a copy

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
XML Vulnerabilities (BIL, XXE); XML Parsers; Security Testing
Abstract :
[en] The Extensible Markup Language (XML) is extensively used in software systems and services. Various XML-based attacks, which may result in sensitive information leakage or denial of services, have been discovered and published. However, due to development time pressures and limited security expertise, such attacks are often overlooked in practice. In this paper, following a rigorous and extensive experimental process, we study the presence of two types of XML-based attacks: BIL and XXE in 13 popular XML parsers. Furthermore, we investigate whether open-source systems that adopt a vulnerable XML parser apply any mitigation to prevent such attacks. Our objective is to provide clear and solid scientific evidence about the extent of the threat associated with such XML-based attacks and to discuss the implications of the obtained results. Our conclusion is that most of the studied parsers are vulnerable and so are systems that use them. Such strong evidence can be used to raise awareness among software developers and is a strong motivation for developers to provide security measures to thwart BIL and XXE attacks before deployment when adopting existing XML parsers.
Research center :
University of Luxembourg: SnT
Disciplines :
Computer science
Author, co-author :
Jan, Sadeeq ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Nguyen, Duy Cu ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Briand, Lionel ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
External co-authors :
no
Language :
English
Title :
Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems
Publication date :
03 August 2015
Event name :
The 2015 IEEE International Conference on Software Quality, Reliability & Security
Event organizer :
IEEE Reliability Society
Event place :
Vancouver, Canada
Event date :
03-08-2015 to 05-08-2015
Audience :
International
Main work title :
The 2015 IEEE International Conference on Software Quality, Reliability & Security, Vancouver 3-5 August 2015
Peer reviewed :
Peer reviewed
Name of the research project :
Automated Security Testing for XML Vulnerabilities
Funders :
FNR - Fonds National de la Recherche [LU]
Available on ORBilu :
since 05 June 2015

Statistics


Number of views
229 (26 by Unilu)
Number of downloads
8 (7 by Unilu)

Scopus citations®
 
17
Scopus citations®
without self-citations
13

Bibliography


Similar publications



Contact ORBilu