XML Parser Evaluation

XML Parser Evaluation

For some time now, we've been researching in excruciating detail the prevalence of DTD attacks on different XML parsers.

For a quick recap which attacks are possible, see our DTD Cheat Sheet post.


In this post, we present you the results in a nutshell.
The information presented here is based on this masterthesis which covers the respective results in greater detail.

Test Methodology

We identified 16 test vectors, each testing a specific attack vector (e.g. XXE, various kinds of DoS, XXE parameter entity,...). We ran these tests against the default parser configuration and call these therefore core tests.

Additional tests are based on the same test vectors, however, we executed them against custom (modified) parser configurations, indicating the effect of specific features of a parser.

The complete test set is available on github.

Results

We analyzed the following parsers and summarized the test results in Table 1. In addition, we show which attacks cannot be mitigated indicated by an asterisk.

DTD Cheat Sheet

When evaluating the security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE) as,for example, our previous post XXE in SAML Interfaces demonstrates.

In this post we provide a comprehensive list of different DTD attacks.

The attacks are categorized as follows:

• Denial-of-Service Attacks
• Classic XXE
• Advanced XXE
• Server-Side Requst Forgery (SSRF)
• XInclude
• XSLT