XML Parser Evaluation
For some time now, we've been researching in excruciating detail the prevalence of DTD attacks on different XML parsers.
For a quick recap which attacks are possible, see our
DTD Cheat Sheet post.
In this post, we present you the results in a nutshell.
The information presented here is based on
this masterthesis which covers the respective results in greater detail.
Test Methodology
We identified 16 test vectors, each testing a specific attack vector (e.g. XXE, various kinds of DoS, XXE parameter entity,...). We ran these tests against the default parser configuration and call these therefore
core tests.
Additional tests are based on the same test vectors, however, we executed them against custom (modified) parser configurations, indicating the effect of specific features of a parser.
The complete test set is available on
github.
Results
We analyzed the following parsers
and summarized the test results in Table 1. In addition, we show which attacks cannot be mitigated indicated by an asterisk.