Extensible Markup Language (XML)
Extensible Markup Language (XML) is a system for structuring documents so that they are human and machine readable.
- is a text-based markup language that uses tags derived from SGML
- primary purpose is to transfer data
- used by web applications for authentication and authorizations
- uses opening and closing tags
- but it does not define the tags
- author can invent the tags and the structure
- allows developer to tag data fields with something more meaningful
Example
<Products> <Product> <Product Name>Adjustable Race</Product Name> <Product Number>AR-5381</Product Number> <Product Price>5.00</Product Price> </Product> <Product> <Product Name>Bearing Ball</Product Name> <Product Number>BA-8327</Product Number> <Product Price>4.50</Product Price> </Product> </Products>
XML Attacks
- Data submitted via XML with no encryption or input validation is vulnerable to:
- spoofing
- request forgery
- and injection of arbitrary data or code
- attacks that target the way a server parses an XML file submitted for upload or XML data submitted as a URL:
- XML Bomb (Billion Laughs attack)
- The XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it
- XML External Entity (XXE)
- embeds a request for a local resource
- such as the server’s password file
- embeds a request for a local resource
- XML Bomb (Billion Laughs attack)
- Extensible Markup Language (XML) Injection
XML Protections
XML Encryption is a standard for encrypting XML data, ensuring its confidentiality.
XML Signature is a standard for digitally signing XML data, ensuring its integrity and authenticity.