.lu software verification & validation V V S Known XML Vulnerabilities Are Still a Threat to Popular Parsers & Open Source Systems Sadeeq Jan, Cu D. Nguyen, Lionel Briand Interdisciplinary Centre for Security, Reliability and Trust (SnT) University of Luxembourg QRS 2015 The 2015 IEEE International Conference on Software Quality, Reliability & Security Vancouver, Canada, August 3-5, 2015
22
Embed
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Source Systems
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
.lusoftware verification & validationVVS
Known XML Vulnerabilities Are Still a Threat to Popular Parsers !
& Open Source Systems Sadeeq Jan, Cu D. Nguyen, Lionel Briand
Interdisciplinary Centre for Security, Reliability and Trust (SnT) University of Luxembourg
QRS 2015 The 2015 IEEE International Conference on Software Quality, Reliability & Security
Vancouver, Canada, August 3-5, 2015
Motivation
• Widespread use of XML
• De-facto standard for data exchange
• > 500 XML Vulnerabilities reported in National Vulnerability Database (NVD)
2
NVD Statistics (07/2015)
0
50
100
150
200
250
XML DoS(BIL)
XXE XML Parser Xml injection
No. o
f Vul
nera
bilit
ies
Background–XML Vulnerabilities
XML Bomb/Billion Laughs (BIL)
XML External Entity Exploitation (XXE)
3
XML Bomb/Billion Laughs (BIL) • DoS attack on XML parser
using well-formed XML
• Exponential entity expansion
<?xml version="1.0"?> <!DOCTYPE xmlBOMB [
<!ENTITY a “Random Text"> <!ENTITY b “&a; &a; &a; &a; &a;”> <!ENTITY c “&b; &b; &b; &b; &b;”> <!ENTITY d “&c; &c; &c; &c; &c;”>
]> <xmlBOMB>&d;</xmlBOMB>
• Impact – Higher memory & CPU
Consumption – DoS on parsing system
XML
4
XML External Entity (XXE) Vulnerabilities
• Attack on a weakly configured parser via XML input containing a reference to an external entity