Security
XML offers powerful abilities to structure, manage,
share, and process data, but it also opens some
possibilities for hackers.
- Just like email and HTML files, XML files can be
captured as they travel over the Internet. Do your
data files contain sensitive information?
-
It is tempting to mix sensitive and innocuous data
together in a single XML data file and then
use templates to format the information for
appropriate audiences. Even if you control
who can run the templates that display the
sensitive information, the more public templates
may point the way to the XML file. Once they
know it is there, hackers could bypass the templates
and retrieve the whole XML data file.
-
Unicode, on which XML is based, has a huge
character set (65,000 characters), offering
many new opportunities for hackers to create
attacks that bypass conventional protections.
An example is a Microsoft IIS vulnerability
that allows access to folders -
CERT Vulnerability Note VU#111677.
Steps Toward Security
-
Development of software for handling XML is still
in its infancy. Many of the currently available
tools do not give adequate consideration of
security. You will have to understand their
limitations and compensate for their weaknesses
yourself.
- Develop explicit schemas that will make possible
effective validation so you know your data is what
it should be.
-
Separate sensitive data and provide it with
appropriate protections.
-
If you provide a way for users to enter data, validate it
before writing it into your XML data file.
-
Don't trust inbound data. Validate it.
-
Ensure the quality of your outbound data. Validate it.
-
Inform yourself on the latest security issues relating
to the hardware and software you are using.
Resources
|
|
 |
|
|
