XML Content Attacks
Web Services Edge 2005 East: WSS-6

Girish Juneja has more than 15 years experience in the high technology industry with extensive product management, product strategy, engineering management, and technology marketing expertise. He is the cofounder of Sarvega. Since Sarvega’s inception, Girish has led the Sarvega engineering and customer services organizations to develop Sarvega’s industry-leading core XESOS technology and XML Networking products.

This talk defines a new class of threats, XML Content Attacks, and differentiates these threats from more general Web services attacks and XML security-based attacks. These three related but distinct threat areas are explained. The talk covers XML Content Attacks with regard to tree-based parsing exploits related to coercive parsing, node-depth attacks, and DOM. XML grammar validation exploits such as schema poisoning and lax-content models are discussed, and why traditional schema validation cannot ensure content-model consistency. Web services attacks like WSDL scanning and parameter tampering (SQL Injection, SOAP array attack) are discussed – highlighting common mistakes made when applying message-level security (WS-Security).

About SYS-CON tv
SYS-CON.tv is unique multimedia resource - enabled by Flash video - bringing you timely interviews, news, expert panels, and features on all that's new and all that's best among i-Technology products and services.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1