Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
    • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
    • Students and Grants
    • Co-located Workshops
  • Program
    • Workshop Program
  • Sponsorship
  • Participate
    • Instructions for Authors and Speakers
    • Call for Papers
  • About
    • Workshop Organizers
    • Questions
    • Services
    • Past Workshops
  • Home
  • Attend
  • Program
  • Sponsorship
  • Participate
  • About

help promote

WOOT '16 button

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » SoK: XML Parser Vulnerabilities
Tweet

connect with us

SoK: XML Parser Vulnerabilities

Authors: 

Christopher Späth, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk, Ruhr University Bochum

Abstract: 

The Extensible Markup Language (XML) has become a widely used data structure for web services, Single- Sign On, and various desktop applications. The core of the entire XML processing is the XML parser. Attacks on XML parsers, such as the Billion Laughs and the XML External Entity (XXE) Attack are known since 2002. Nevertheless even experienced companies such as Google, and Facebook were recently affected by such vulnerabilities.

In this paper we systematically analyze known attacks on XML parsers and deal with challenges and solutions of them. Moreover, as a result of our in-depth analysis we found three novel attacks.

We conducted a large-scale analysis of 30 different XML parsers of six different programming languages. We created an evaluation framework that applies different variants of 17 XML parser attacks and executed a total of 1459 attack vectors to provide a valuable insight into a parser’s configuration. We found vulnerabilities in 66 % of the default configuration of all tested parses. In addition, we comprehensively inspected parser features to prevent the attacks, show their unexpected side effects, and propose secure configurations.

Christopher Späth, Ruhr University Bochum

Christian Mainka, Ruhr University Bochum

Vladislav Mladenov, Ruhr University Bochum

Jörg Schwenk, Ruhr University Bochum

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {198467,
author = {Christopher Sp{\"a}th and Christian Mainka and Vladislav Mladenov and J{\"o}rg Schwenk},
title = {SoK: {XML} Parser Vulnerabilities},
booktitle = {10th {USENIX} Workshop on Offensive Technologies ({WOOT} 16)},
year = {2016},
address = {Austin, TX},
url = {https://www.usenix.org/conference/woot16/workshop-program/presentation/spath},
publisher = {{USENIX} Association},
month = aug,
}
Download
Späth PDF
View the slides
  • Log in or    Register to post comments

© USENIX

  • Privacy Policy
  • Conference Policies
  • Contact Us