At Microsoft BlueHat v11 I’ll be delivering an internal-only briefing along with Matt Swann.  While I can’t go into the confidential details of the talk, there are some things I want to mention that are more general and already public information.  There’s significant attack surface when it comes to parsing XML documents, and processing contextual information in those documents.  The threats are not limited to any one tech stack, and can be found in most of the popular ones.  To name the main exploit scenarios we see and test for regarding XML:

I might blog about each one of these in turn because they’re each a little different and unfortunately the mitigation is not as simple as “validate input”.

Tags: XML

This entry was posted on Monday, October 24th, 2011 at 8:32 pm and is filed under Security Testing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.