help promote
USENIX Conference Policies
SoK: XML Parser Vulnerabilities
Christopher Späth, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk, Ruhr University Bochum
The Extensible Markup Language (XML) has become a widely used data structure for web services, Single- Sign On, and various desktop applications. The core of the entire XML processing is the XML parser. Attacks on XML parsers, such as the Billion Laughs and the XML External Entity (XXE) Attack are known since 2002. Nevertheless even experienced companies such as Google, and Facebook were recently affected by such vulnerabilities.
In this paper we systematically analyze known attacks on XML parsers and deal with challenges and solutions of them. Moreover, as a result of our in-depth analysis we found three novel attacks.
We conducted a large-scale analysis of 30 different XML parsers of six different programming languages. We created an evaluation framework that applies different variants of 17 XML parser attacks and executed a total of 1459 attack vectors to provide a valuable insight into a parser’s configuration. We found vulnerabilities in 66 % of the default configuration of all tested parses. In addition, we comprehensively inspected parser features to prevent the attacks, show their unexpected side effects, and propose secure configurations.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Christopher Sp{\"a}th and Christian Mainka and Vladislav Mladenov and J{\"o}rg Schwenk},
title = {{SoK}: {XML} Parser Vulnerabilities},
booktitle = {10th USENIX Workshop on Offensive Technologies (WOOT 16)},
year = {2016},
address = {Austin, TX},
url = {https://www.usenix.org/conference/woot16/workshop-program/presentation/spath},
publisher = {USENIX Association},
month = aug
}